[checkpoint] Update kv split for checkpoint

packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log

@@ -19,3 +19,4 @@
 <134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"]
 <134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"]
 <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
+<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1759720844"; version:"5"; arrival_time:"1759720844"; attachments_num:"1"; delivery_time:"1759720852"; dst:"192.168.1.100"; email_content:"Attachments"; email_headers:"X-IronPort-AV: E=Sophos;i=\"4.20,319,1751234400\";   d=\"png'150?scan'150,208,217,150\";a=\"13313487\" X-IronPort-AV: E=McAfee;i=\"6800,10657,11573\"; a=\"290145815\" "; email_queue_id:"abcdefghijklm"; email_queue_name:"N/A"; lastupdatetime:"1759720852"; links_num:"0"; original_queue_id:"lmnopqrstuvw"; product:"MTA"; s_port:"12345"; scan_ended:"1759720844"; scan_started:"1759720844"; service:"25"; src:"192.168.2.100"; status_update:"1759720852"]

packages/checkpoint/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.44.0"
+  changes:
+    - description: Update KV split logic to take email headers into account.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15745
 - version: "1.43.0"
   changes:
     - description: Update documentation.

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log

@@ -35,3 +35,4 @@
 <134>1 2025-02-18T10:01:41Z TEST_HOSTNAME CheckPoint 10038 - [action:"Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xae027eed,0xef89f5a0,0x5b806530,0x8b665bef}"; origin:"192.168.1.102"; originsicname:"CN=TESTWA022B001,O=TESTWM002001..t2z5yx"; sequencenum:"270"; time:"1739872901"; version:"5"; auth_method:"Password"; auth_method2:"DynamicID"; client_build:"986102607"; client_name:"Test Client"; client_version:"E123.123"; cvpn_category:"Session"; device_identification:"{313A7B1F-5FB8-4608-B0F8-05A2311B6FFF}"; domain_name:"EXAMPLE.LOCAL"; event_type:"Login"; failed_login_factor_num:"0"; host_ip:"10.1.1.1"; host_type:"PC"; hostname:"TEST_HOSTNAME"; lastupdatetime:"1739872901"; login_option:"two-way"; login_timestamp:"1739872901"; mac_address:"ab:cd:ef:01:23:45"; more:"authenticated_machine= (CN=TESTHOST1,OU=Test 2.0,OU=Testcomputers,DC=TEST,DC=LOCAL)"; office_mode_ip:"192.168.1.1"; os_bits:"64bit"; os_build:"19045"; os_edition:"Enterprise"; os_name:"Windows"; os_version:"10"; product:"Test Product"; proto:"6"; proxy_src_ip:"0.0.0.0"; s_port:"0"; service:"443"; session_timeout:"43174"; session_uid:"{31A46FFD-A526-4318-BA17-49CBCDC38A14}"; src:"192.168.211.208"; status:"Success"; suppressed_logs:"0"; tunnel_protocol:"IPSec"; user:" Test User "; user_dn:"CN=Test User,OU=Users,DC=test,DC=local"; user_group:"Users"]
 <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Reject"; flags:"44676"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.0.1"; originsicname:"CN=cp_mgmt,O=gw-da58d3..tmn8s8"; sequencenum:"22"; time:"1746521905"; version:"5"; dst:"0.0.0.0"; encryption_failure::"no response from peer."; fw_subproduct:"VPN-1"; peer_gateway:"192.168.10.1"; proto:"0"; reject_category:"IKE failure"; rule:"0"; s_port:"0"; scheme::"IKE"; service:"0"; src:"0.0.0.0"; vpn_feature_name:"IKE"]
 <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Detect"; flags:"44676"; ifdir:"inbound"; ifname:"eth0"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.0.1"; originsicname:"CN=cp_mgmt,O=gw-da58d3..tmn8s8"; sequencenum:"22"; time:"1746491278"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1746456871;policy_name=Standard\]"; attack:"Port Scan"; attack_info:"Host Port Scan"; confidence_level:"5"; dst:"192.168.10.1"; performance_impact:"2"; product:"SmartDefense"; protection_id:"HostPortScan"; protection_name:"Host Port Scan"; protection_type:"anomaly"; proto:"4294967295"; s_port:"0"; service:"4294967295"; severity:"1"; smartdefense_profile:"Standard"; source:"Distinct"; src:"192.168.12.1"]
+<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1759720844"; version:"5"; arrival_time:"1759720844"; attachments_num:"1"; delivery_time:"1759720852"; dst:"192.168.1.100"; email_content:"Attachments"; email_headers:"X-IronPort-AV: E=Sophos;i=\"4.20,319,1751234400\";   d=\"png'150?scan'150,208,217,150\";a=\"13313487\" X-IronPort-AV: E=McAfee;i=\"6800,10657,11573\"; a=\"290145815\" "; email_queue_id:"abcdefghijklm"; email_queue_name:"N/A"; lastupdatetime:"1759720852"; links_num:"0"; original_queue_id:"lmnopqrstuvw"; product:"MTA"; s_port:"12345"; scan_ended:"1759720844"; scan_started:"1759720844"; service:"25"; src:"192.168.2.100"; status_update:"1759720852"]

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json

@@ -2451,6 +2451,75 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2025-10-06T03:20:44.000Z",
+            "checkpoint": {
+                "arrival_time": "1759720844",
+                "attachments_num": "1",
+                "delivery_time": "1759720852",
+                "email_content": "Attachments",
+                "email_headers": "X-IronPort-AV: E=Sophos;i=\\\"4.20,319,1751234400\\\";   d=\\\"png'150?scan'150,208,217,150\\\";a=\\\"13313487\\\" X-IronPort-AV: E=McAfee;i=\\\"6800,10657,11573\\\"; a=\\\"290145815\\\"",
+                "email_queue_id": "abcdefghijklm",
+                "email_queue_name": "N/A",
+                "links_num": "0",
+                "logid": "0",
+                "origin_sic_name": "cn=cp_mgmt,o=gw-da58d3..tmn8s8",
+                "original_queue_id": "lmnopqrstuvw",
+                "scan_ended": "1759720844",
+                "scan_started": "1759720844",
+                "status_update": "1759720852"
+            },
+            "destination": {
+                "ip": "192.168.1.100",
+                "port": 25
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "email": {
+                "delivery_timestamp": "1759720852",
+                "local_id": "abcdefghijklm"
+            },
+            "event": {
+                "action": "Accept",
+                "category": [
+                    "network"
+                ],
+                "end": "2025-10-06T03:20:52.000Z",
+                "id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}",
+                "kind": "event",
+                "original": "<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1759720844\"; version:\"5\"; arrival_time:\"1759720844\"; attachments_num:\"1\"; delivery_time:\"1759720852\"; dst:\"192.168.1.100\"; email_content:\"Attachments\"; email_headers:\"X-IronPort-AV: E=Sophos;i=\\\"4.20,319,1751234400\\\";   d=\\\"png'150?scan'150,208,217,150\\\";a=\\\"13313487\\\" X-IronPort-AV: E=McAfee;i=\\\"6800,10657,11573\\\"; a=\\\"290145815\\\" \"; email_queue_id:\"abcdefghijklm\"; email_queue_name:\"N/A\"; lastupdatetime:\"1759720852\"; links_num:\"0\"; original_queue_id:\"lmnopqrstuvw\"; product:\"MTA\"; s_port:\"12345\"; scan_ended:\"1759720844\"; scan_started:\"1759720844\"; service:\"25\"; src:\"192.168.2.100\"; status_update:\"1759720852\"]",
+                "sequence": 1,
+                "timezone": "UTC"
+            },
+            "network": {
+                "direction": "outbound"
+            },
+            "observer": {
+                "egress": {
+                    "interface": {
+                        "name": "eth0"
+                    }
+                },
+                "name": "192.168.1.100",
+                "product": "MTA",
+                "type": "firewall",
+                "vendor": "Checkpoint"
+            },
+            "related": {
+                "ip": [
+                    "192.168.2.100",
+                    "192.168.1.100"
+                ]
+            },
+            "source": {
+                "ip": "192.168.2.100",
+                "port": 12345
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }

packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml

@@ -33,7 +33,7 @@ processors:
   - kv:
       tag: "kv_syslog_structured_semicolon_colon"
       field: syslog5424_sd
-      field_split: '(?<="); '
+      field_split: '(?<!\\")(?<="); (?=\w)'
       value_split: '(?i)(?<=[0-9a-z]):{1,2}(?=")'
       trim_key: " "
       trim_value: " "

packages/checkpoint/data_stream/firewall/fields/fields.yml

@@ -1365,6 +1365,10 @@
       type: keyword
       description: |
         Scan direction.
+    - name: scan_ended
+      type: keyword
+      description: |
+        Scan end time.
     - name: scan_hosts_day
       type: integer
       description: |
@@ -1389,6 +1393,10 @@
       type: keyword
       description: |
         "Infected"/description of a failure.
+    - name: scan_started
+      type: keyword
+      description: |
+        Scan start time.
     - name: scheme
       type: keyword
       description: |

packages/checkpoint/docs/README.md

@@ -534,12 +534,14 @@ The `firewall` data stream provides events from Check Point devices, including f
 | checkpoint.rule_action | Action of the matched rule in the access policy. | keyword |
 | checkpoint.rulebase_id | Layer number. | integer |
 | checkpoint.scan_direction | Scan direction. | keyword |
+| checkpoint.scan_ended | Scan end time. | keyword |
 | checkpoint.scan_hosts_day | Number of unique hosts during the last day. | integer |
 | checkpoint.scan_hosts_hour | Number of unique hosts during the last hour. | integer |
 | checkpoint.scan_hosts_week | Number of unique hosts during the last week. | integer |
 | checkpoint.scan_id | Sequential number of scan. | keyword |
 | checkpoint.scan_mail | Number of emails that were scanned by "AB malicious activity" engine. | integer |
 | checkpoint.scan_results | "Infected"/description of a failure. | keyword |
+| checkpoint.scan_started | Scan start time. | keyword |
 | checkpoint.scheme | Describes the scheme used for the log. | keyword |
 | checkpoint.scope | IP related to the attack. | keyword |
 | checkpoint.script_value_for_one_time_scripts |  | keyword |

packages/checkpoint/manifest.yml

@@ -1,6 +1,6 @@
 name: checkpoint
 title: Check Point
-version: "1.43.0"
+version: "1.44.0"
 description: Collect logs from Check Point with Elastic Agent.
 type: integration
 format_version: "3.0.3"