Splunk® Supported Add-ons

Splunk Add-on for Check Point Log Exporter

Release history for Check Point Log Exporter

Version 1.2.0 of the Splunk Add-on for Check Point Log Exporter was released on February 15. 2024. See Release notes for the Splunk Add-on for Check Point Log Exporter.

Version 1.1.1

Version 1.1.1 of the Splunk Add-on for Check Point Log Exporter was released on January 12, 2023.

About this release

Version 1.1.1 of the Splunk Add-on for Check Point Log Exporter is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.2, 9.0
CIM 5.0.2
Platforms Platform independent
Vendor Products Check Point Software R81 and R81.10, Check Point Endpoint client version E84.30 and E86.20, Check Point Management server version: R80.40, R81.10

New Features

  • Compatibility with CIM v5.0.2

Fixed issues

Version 1.1.1 of the Splunk Add-on for Check Point Log Exporter contains the following fixed issues:

  • Resolved reference cycle issue in the lookups for the sourcetypes cp_log and cp_log:syslog.


Known issues

Version 1.1.1 of the Splunk Add-on for Check Point Log Exporter has the following known issues. If none appear, none have been reported:


Date filed Issue number Description
2023-01-10 ADDON-59604 Issue in file_path field extraction

Third-party software attributions

Version 1.1.1 of the Splunk Add-on for Check Point Log Exporter does not incorporate any third-party libraries.

Version 1.1.0

Version 1.1.0 of the Splunk Add-on for Check Point Log Exporter is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1, 8.2
CIM 5.0.0
Platforms Platform independent
Vendor Products Check Point Software R81 and R81.10, Check Point Endpoint client version E84.30 and E86.20, Check Point Management server version: R80.40, R81.10

New Features

  • Compatibility with CIM v5.0.0
  • Added support for below new blades

Blade Source CLI checkpoint:audit Identity Awareness checkpoint:sessions Endpoint checkpoint:endpoint


  • Enhanced existing CIM extractions
  • Added support for 2 new DM: Inventory and Change Network
  • Log out logs will be tagged with Change DM instead of Authentication DM
  • Fixed extraction for file_path field of Malware DM
  • Updated search query for cp_change and cp_change_audit event types for tracking accurate audit logs
  • Fixed extraction for event_action=" Detect", previously action was blocked now it will be allowed.
  • Enhanced extractions for bytes_in, bytes_out and packets_in, packets_out

Field changes

Sourcetype Applicable events Fields v1 v2
Added Fields Modified Fields Removed Fields
['cp_log:syslog'] product="Application Control" AND proto=* session_id, event_src, packets_in, packets_out, bytes_out, direction, dvc_ip, bytes_in, dest_interface
['cp_log:syslog'] product="Connectra" AND event_type="Login" session_id, event_src, direction, dvc_ip, protocol_version, authentication_method tag, eventtype, tag::eventtype, app, action communicate,network, cp_network_communicate, communicate,network, https, Log In authentication, cp_auth_logs, authentication, Mobile Access Portal, success
['cp_log:syslog'] event_type="Logout" result, object_category, tag, session_id, event_src, eventtype, tag::eventtype, object, direction, dvc_ip, object_id, change_type, status, object_attrs action Log Out logoff
['cp_log:syslog'] product="Identity Awareness" AND identity_src="AD Query" tag, app, event_src, eventtype, tag::eventtype, vendor_product, id, dest, authentication_method, dest_nt_domain, dvc, src_ip, dest_ip action, src, source Update, 10.160.174.195, checkpoint:cp_default success, 10.160.0.11, checkpoint:sessions
['cp_log:syslog'] product="SmartDefense" event_src, file_path, bytes_out, direction, dvc_ip, bytes_in, src_interface, protocol_version
['cp_log:syslog'] protection_type="URL reputation", protection_type="protection" event_src, action, direction, dvc_ip, src_interface, protocol_version
['cp_log:syslog'] session_name="IPS" AND fieldchanges=* object_category, session_id, direction, dvc_ip, object_id, user_type, object_attrs tag, eventtype, tag::eventtype audit, cp_change_audit, audit , cp_change,
['cp_log:syslog'] internal_ca="VPN certificate created" result, object_category, tag, eventtype, tag::eventtype, object, direction, dvc_ip, object_id, change_type, dest_interface, status action Key Install created
['cp_log:syslog'] package_action="Install" result, object_category, tag, action, eventtype, tag::eventtype, command, object, direction, dvc_ip, object_id, change_type, status, object_attrs
['cp_log:syslog'] product="SmartConsole" AND operation="Delete Object" tag, session_id, eventtype, tag::eventtype, direction, dvc_ip, object_id, user_type
['cp_log:syslog'] product="DLP" AND reject_category="User '<user>' has failed to log into the portal" tag, app, event_src, eventtype, tag::eventtype, direction, dvc_ip, dest, dest_ip action Reject failure
['cp_log:syslog'] subject="Object Manipulation" AND operation="Modify Object" session_id, direction, dvc_ip, user_type, object_attrs tag, eventtype, tag::eventtype, dest, dest_ip audit, cp_change_audit, audit, 10.160.113.11, 10.160.113.11 , cp_change, , 10.160.0.11, 10.160.0.11
['cp_log:syslog'] operation="Install Policy" result_id, user_type, direction, dvc_ip dest, src_ip, src, dest_ip 10.160.113.11, 10.160.0.11, 10.160.0.11, 10.160.113.11 10.160.0.11, 10.160.113.11, 10.160.113.11, 10.160.0.11
['cp_log:syslog'] product="Identity Awareness" AND error_description="Identity information will be deleted" app, type, body, vendor_product, id, dest, dvc, src_ip, description, src source checkpoint:cp_default checkpoint:sessions
['cp_log:syslog'] event_type="Status Changed" event_src, direction, dvc_ip, change_type, object_attrs tag, eventtype, tag::eventtype audit, cp_change_audit, audit , cp_change,
['cp_log:syslog'] subject="Endpoint Activity" AND objecttype="endpoint" tag, endpoint_sam, endpoint_type, tag::eventtype, eventtype, endpoint_workgroup, endpoint_sid, description
['cp_log:syslog'] subject="Object Manipulation" AND objecttype="PolicyUpdateTime" result, object_category, status, user_name, vendor_product, dest, dvc, user, src_user, object_id, id, user_type, src_ip, src, command, src_user_name, object, change_type, date, object_attrs, dest_ip tag, eventtype, tag::eventtype, action, source audit, cp_change_audit, audit, Accept, checkpoint:cp_default , cp_change, , modified, checkpoint:endpoint
['cp_log:syslog'] product="Forensics" event_src, direction, dvc_ip file_path url c:\\users\\administrator\\downloads\\ c:\users\administrator\downloads\
['cp_log:syslog'] operation="Log In" result_id, direction, dvc_ip, change_type, user_type, authentication_method eventtype, dest, src_ip, src, dest_ip , 10.160.113.11, 10.160.0.11, 10.160.0.11, 10.160.113.11 cp_auth_logs, 10.160.0.11, 10.160.113.11, 10.160.113.11, 10.160.0.11
['cp_log:syslog'] protection_type="URL Filtering" AND action="Detect" event_src, action, file_path, direction, dvc_ip, category, ids_type, signature
['cp_log:syslog'] event_type="TE Info Event" AND reason="Valid_TE_License" object_category, event_src, action, object, direction, dvc_ip, change_type, status, object_attrs tag, eventtype, tag::eventtype alert, cp_alert, alert change, cp_change, change
['cp_log:syslog'] product="Threat Emulation" AND action="Detect" event_src, direction, dvc_ip, protocol_version, dest_interface app, action Threat Emulation, blocked http, allowed
['cp_log:syslog'] product="Threat Extraction" AND failure_impact=* tag, app, eventtype, tag::eventtype, direction, dvc_ip, signature dest dest_ip 10.160.0.11 splunk
['cp_log:syslog'] session_name="APPI Update" object_category, session_id, direction, dvc_ip, object_id, user_type, object_attrs tag, eventtype, tag::eventtype audit, cp_change_audit, audit , cp_change,
['cp_log:syslog'] db_ver=* and update_status=* dest_ip, change_type, direction, dvc_ip tag, eventtype, tag::eventtype, object_attrs audit, cp_change_audit, audit, database version , cp_change, , db_ver-27022201
['cp_log:syslog'] operation="Log Out" AND product="WEB_API" object_category, session_id, object, direction, dvc_ip, object_id, change_type, user_type, object_attrs tag, eventtype, tag::eventtype, action authentication, , authentication, success change, cp_logout_logs, change, logoff
['cp_log:syslog'] product="Threat Emulation" AND errors=* event_src, direction, dvc_ip, protocol_version, signature
['cp_log:syslog'] product="VPN-1 & FireWall-1" src_interface, event_src, direction, dvc_ip
['cp_log:syslog'] product="VPN-1 & FireWall-1" AND hll_key=* session_id, event_src, packets_in, packets_out, bytes_out, direction, dvc_ip, bytes_in, src_interface, dest_interface
['cp_log:syslog'] service_id="echo-request" session_id, event_src, icmp_code, direction, dvc_ip, icmp_type, dest_interface
['cp_log:syslog'] product="Connectra" AND action="Failed Log In" session_id, event_src, direction, dvc_ip, protocol_version, authentication_method tag, eventtype, tag::eventtype, app, action communicate,network, cp_network_communicate, communicate,network, https, Failed Log In authentication, cp_auth_logs, authentication, Mobile Access Portal, failure
['cp_log:syslog'] product="Connectra" AND action="Reject" session_id, event_src, file_path, direction, dvc_ip, protocol_version action Reject blocked
['cp_log:syslog'] product="Log Update" AND action="Accept" event_src, packets_in, packets_out, bytes_out, direction, dvc_ip, bytes_in, src_interface, protocol_version, dest_interface action Accept allowed

CIM changes

Source Applicable Events Previous CIM model New CIM model
checkpoint:audit auth_method="Password" Network_Traffic Authentication
checkpoint:audit fieldschanges=* NOT audit_status=* Change.Auditing_Changes Change.All_Changes
checkpoint:sessions error_description="Identity information will be deleted" Alerts
checkpoint:firewall new_status=* Change.Auditing_Changes Change.All_Changes
checkpoint:endpoint objecttype="PolicyUpdateTime" AND operation="Modify Object" Change.Auditing_Changes
checkpoint:ids_malware product="Threat Emulation" AND reason="Valid_TE_License" Alerts Change.All_Changes
checkpoint:web update_status=* AND db_ver=* Change.Auditing_Changes Change.All_Changes
checkpoint:audit operation="Log Out" Authentication Change.All_Changes
checkpoint:audit product="Connectra" AND event_type="Logout", product="System Monitor" AND package_action="Install", product="SmartConsole" AND operation="Delete Object" Change.All_Changes
checkpoint:sessions product="Identity Awareness" AND identity_src="AD Query" Authentication
checkpoint:firewall internal_ca="VPN certificate created" Change.Network_Changes
checkpoint:firewall product="DLP" AND reject_category="User '<user>' has failed to log into the portal" Authentication
checkpoint:sessions product="Identity Awareness" AND error_description="Identity information will be deleted" Alerts
checkpoint:endpoint subject="Endpoint Activity" AND objecttype="endpoint" Inventory.All_Inventory.OS
checkpoint:endpoint subject="Object Manipulation" AND objecttype="PolicyUpdateTime" Change.All_Changes
checkpoint:ids_malware product="Threat Extraction" AND failure_impact=* Alerts


Fixed issues

Version 1.1.0 of the Splunk Add-on for Check Point Log Exporter contains the following fixed issues.


Known issues

Version 1.1.0 of the Splunk Add-on for Check Point Log Exporter has the following known issues.


Date filed Issue number Description
2023-01-10 ADDON-59604 Issue in file_path field extraction
2022-07-20 ADDON-54031 Reference cycle in the lookup configuration

Workaround:
Workaround is provide to the customer.

Third-party software attributions

Version 1.1.0 of the Splunk Add-on for Check Point Log Exporter does not incorporate any third-party libraries.

Version 1.0.1

Version 1.0.1 of the Splunk Add-on for Check Point Log Exporter was released on August 13, 2021.

About this release

Version 1.0.1 of the Splunk Add-on for Check Point Log Exporter is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0, 8.1, 8.2
CIM 4.19
Platforms Platform independent
Vendor Products Check Point Software R81, Checkpoint Endpoint client version E84.30, Checkpoint Management server version: R80.40

Fixed issues

Version 1.0.1 of the Splunk Add-on for Check Point Log Exporter contains the following fixed issues.

  • The extractions for sender, recipient, subject have been updated.
  • Updated the extraction for CIM field rule from policy field in the log-line.
  • A new MV field remediated_file_list has been created to list the names of the remediated files from field remediated_files



Known issues

Version 1.0.1 of the Splunk Add-on for Check Point Log Exporter has the following known issues.


Date filed Issue number Description
2022-07-20 ADDON-54031 Reference cycle in the lookup configuration

Workaround:
Workaround is provide to the customer.

Third-party software attributions

Version 1.0.1 of the Splunk Add-on for Check Point Log Exporter does not incorporate any third-party libraries.


Version 1.0.0

Version 1.0.0 of the Splunk Add-on for Check Point Log Exporter was released on April 14, 2021.

About this release

Version 1.0.0 of the Splunk Add-on for Check Point Log Exporter is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0, 8.1, 8.2
CIM 4.19
Platforms Platform independent
Vendor Products Check Point Software R81, Checkpoint Endpoint client version E84.30, Checkpoint Management server version: R80.40

New and updated features

The following are features provided by the new Splunk Add-on for Check Point Log Exporter version 1.0.0.

  • Provides migration from the Checkpoint App for Splunk. The add-on contains the data collection and data extraction logic and CIM complaint mappings.
  • If your Splunk environment has the Splunk Add-on for Checkpoint OPSEC LEA installed, then the event feed from that TA needs to be disabled to prevent data duplication in your Splunk environment. Refer to the Migrate section for further details.
  • Support for Syslog data ingestion using the Log Exporter in the following formats and source types:
  • Latest version of Check Point Gaia supported R81, Checkpoint Endpoint client version E84.30, Checkpoint Management server version: R80.40.
  • Latest CIM version supported: 4.19
    • SC4S support for both splunk & syslog log format
    • Compatibility/Easy Migration from Checkpoint App

The following products are currently supported in the add-on. The mapping of the sources is based on the names of the products.

Product Source
Scheduled system update checkpoint:audit
WEB_API checkpoint:audit
SmartDashboard checkpoint:audit
System Monitor checkpoint:audit
Log Update checkpoint:audit
license-mgmt checkpoint:audit
smart_event checkpoint:audit
SmartConsole checkpoint:audit
SmartEvent Client checkpoint:audit
SmartUpdate checkpoint:audit
WEB-UI checkpoint:audit
SmartView checkpoint:audit
Security Gateway/Management checkpoint:audit
SmartDefense checkpoint:audit
Smart Defense checkpoint:audit
Web_API_internal checkpoint:audit
Eventia Analyzer Client checkpoint:audit
SmartProvisioning Connector checkpoint:audit
SmartLSM Endpoint Security Console checkpoint:audit
SmartLSM checkpoint:audit
ROBO GUI checkpoint:audit
Management Blade checkpoint:audit
Connectra checkpoint:audit
Check Point Security Management Server checkpoint:audit
MTA checkpoint:email
Anti-Spam checkpoint:email
Anti Spam checkpoint:email
Endpoint Management checkpoint:endpoint
Core checkpoint:endpoint
Endpoint Compliance checkpoint:endpoint
MEPP checkpoint:endpoint
Media Encryption & Port Protection checkpoint:endpoint
Endpoint Security Console checkpoint:endpoint
Firewall checkpoint:firewall
DLP checkpoint:firewall
Application Control checkpoint:firewall
RAD checkpoint:firewall
HTTPS Inspection checkpoint:firewall
Compliance checkpoint:firewall
Compliance Blade checkpoint:firewall
VPN-1 & Firewall-1 checkpoint:firewall
Network Security checkpoint:firewall
IPS checkpoint:ids
WIFI checkpoint:ids
Wifi checkpoint:ids
Cellular checkpoint:ids
Threat Emulation checkpoint:ids_malware
New Anti Virus checkpoint:ids_malware
Anti-Virus checkpoint:ids_malware
Anti-Bot checkpoint:ids_malware
Threat Extraction checkpoint:ids_malware
Anti-Ransomware checkpoint:ids_malware
Anti-Exploit checkpoint:ids_malware
Forensics checkpoint:ids_malware
OS Exploit checkpoint:ids_malware
Application checkpoint:ids_malware
Text Message checkpoint:ids_malware
Network Access checkpoint:ids_malware
Zero Phishing checkpoint:ids_malware
Anti-Malware checkpoint:ids_malware
Anti Malware New Anti Virus checkpoint:ids_malware
IOS Profile checkpoint:network
Device checkpoint:network
Mobile Access checkpoint:network
WIFI Network checkpoint:network
VPN checkpoint:sessions
Mobile App checkpoint:sessions
Mobile checkpoint:sessions
URL filtering checkpoint:web

When Product is not available, and only the subproduct is present in the event, the source assignment is as follow:

subproduct source
VPN checkpoint:sessions
VPN-1 checkpoint:sessions

Fixed issues

Version 1.0.0 of the Splunk Add-on for Check Point Log Exporter contains the following fixed issues.


Known issues

Version 1.0.0 of the Splunk Add-on for Check Point Log Exporter has the following known issues.


Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Check Point Log Exporter does not incorporate any third-party libraries.

Last modified on 15 February, 2024
Release notes for the Splunk Add-on for Check Point Log Exporter  

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters