Console
    Start free

    Collect Check Point EDR logs

    Supported in:

    This document explains how to ingest Check Point EDR (SandBlast) logs to Google Security Operations using the Bindplane agent.

    Check Point EDR generates logs for endpoint threat detection, process activity, file events, and network connections. The parser extracts CEF and key-value fields and maps them to the Unified Data Model (UDM).

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Windows Server 2016 or later, or Linux host with systemd
    • Network connectivity between the Bindplane agent and the Check Point appliance
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • Privileged access to Check Point Appliance with SandBlast

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File

    4. Save the file securely on the system where the Bindplane agent will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.

    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

      The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

      The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see Bindplane agent installation guide .

    Configure the Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

      Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/checkpoint_edr 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 '<customer_id>' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 CHECKPOINT_EDR 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/checkpoint_edr_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/checkpoint_edr

    Configuration parameters

    Replace the following placeholders:

    • Receiver configuration:

      • listen_address : IP address and port to listen on:
        • 0.0.0.0 to listen on all interfaces (recommended)
        • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

    • Exporter configuration:

      • creds_file_path : Full path to ingestion authentication file:
        • Linux: /etc/bindplane-agent/ingestion-auth.json
        • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
      • customer_id : Customer ID copied from the Google SecOps console
      • endpoint : Regional endpoint URL:
        • US: malachiteingestion-pa.googleapis.com
        • Europe: europe-malachiteingestion-pa.googleapis.com
        • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
        • See Regional Endpoints for complete list

    Save the configuration file

    • After editing, save the file:
      • Linux: Press Ctrl+O , then Enter , then Ctrl+X
      • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    • To restart the Bindplane agent in Linux, run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

      1. Verify the service is running:

         sudo  
systemctl  
status  
observiq-otel-collector

      2. Check logs for errors:

         sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    • To restart the Bindplane agent in Windows, choose one of the following options:

      • Command Prompt or PowerShell as administrator:

         net stop observiq-otel-collector && net start observiq-otel-collector

      • Services console:

        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

        4. Verify the service is running:

           sc query observiq-otel-collector

        5. Check logs for errors:

            type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure syslog in Check Point 1500 Appliance Series

    1. Sign in to the Checkpoint Appliance.
    2. Go to Logs & Monitoring > Log Servers > Syslog Servers.
    3. Click Configure.
    4. Provide the following configuration details:
      • Protocol: Select UDP.
      • Name: Enter a descriptive name.
      • IP Address: Enter the Bindplane agent IP address.
      • Port: Enter the Bindplane agent port number.
      • Select Enablelog server.
      • Select logs to forward: Both system and security logs.
    5. Click Apply.

    UDM mapping table

    Log Field UDM Mapping Logic
    action
    		event.idm.read_only_udm.security_result.action Directly mapped from the action CEF field.
    action_comment
    		event.idm.read_only_udm.additional.fields[<N>].key : action_comment
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of action_comment     		Directly mapped from the action_comment field.
    action_details
    		event.idm.read_only_udm.security_result.action_details Directly mapped from the action_details CEF field.
    additional_info
    		event.idm.read_only_udm.additional.fields[<N>].key : additional_info
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of additional_info     		Directly mapped from the additional_info field.
    am_update_proxy
    		event.idm.read_only_udm.intermediary.domain.name Directly mapped from the am_update_proxy field.
    am_update_source
    		event.idm.read_only_udm.target.url Directly mapped from the am_update_source field.
    client_version
    		event.idm.read_only_udm.metadata.product_version Directly mapped from the client_version field.
    cn1
    		event.idm.read_only_udm.security_result.severity Mapped from the cn1 CEF field and converted to UDM severity values (CRITICAL, HIGH, MEDIUM, LOW, INFO).
    cs1
    		event.idm.read_only_udm.additional.fields[<N>].key : Connectivity State
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of cs1     		Directly mapped from the cs1 field.
    description
    		event.idm.read_only_udm.metadata.description Directly mapped from the description CEF field.
    deviceDirection
    		event.idm.read_only_udm.network.direction Mapped from the deviceDirection field. A value of 0 is mapped to INBOUND , other values are not mapped.
    deviceFacility
    		event.idm.read_only_udm.additional.fields[<N>].key : deviceFacility
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of deviceFacility     		Directly mapped from the deviceFacility field.
    dst
    		event.idm.read_only_udm.network.target.ip Directly mapped from the dst field when event_type is Firewall .
    engine_ver
    		event.idm.read_only_udm.additional.fields[<N>].key : engine_ver
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of engine_ver     		Directly mapped from the engine_ver field.
    ep_rule_id
    		event.idm.read_only_udm.firewall.firewall_rule_id Directly mapped from the ep_rule_id field when event_type is Firewall .
    event_type
    		event.idm.read_only_udm.metadata.product_event_type Directly mapped from the event_type CEF field.
    failed_updates
    		event.idm.read_only_udm.additional.fields[<N>].key : failed_updates
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of failed_updates     		Directly mapped from the failed_updates field.
    file_md5
    		event.idm.read_only_udm.source_file.hash_md5 Directly mapped from the file_md5 field when event_type is TE Event .
    file_name
    		event.idm.read_only_udm.source_file.file_name Directly mapped from the file_name field when event_type is TE Event .
    file_sha1
    		event.idm.read_only_udm.source_file.hash_sha1 Directly mapped from the file_sha1 field when event_type is TE Event .
    file_sha256
    		event.idm.read_only_udm.source_file.hash_sha256 Directly mapped from the file_sha256 field when event_type is TE Event .
    host_type
    		event.idm.read_only_udm.principal.asset.type Mapped from the host_type field. Desktop is converted to WORKSTATION , then the value is uppercased.
    ifdir
    		event.idm.read_only_udm.network.direction Directly mapped from the ifdir field and uppercased when event_type is Firewall .
    installed_products
    		event.idm.read_only_udm.principal.asset.software.name Directly mapped from the installed_products field.
    is_scanned
    		sec_res.detection_fields[<N>].key : is_scanned
    sec_res.detection_fields[<N>].value : Value of is_scanned     		Directly mapped from the is_scanned field.
    local_time
    		event.idm.read_only_udm.additional.fields[<N>].key : local_time
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of local_time     		Directly mapped from the local_time field.
    log_type
    		event.idm.read_only_udm.metadata.log_type Directly mapped from the log_type field.
    loguid
    		event.idm.read_only_udm.metadata.product_log_id Directly mapped from the loguid field.
    machine_guid
    		event.idm.read_only_udm.principal.asset.product_object_id Directly mapped from the machine_guid field.
    media_authorized
    		event.idm.read_only_udm.additional.fields[<N>].key : media_authorized
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of media_authorized     		Directly mapped from the media_authorized field.
    media_class_id
    		event.idm.read_only_udm.additional.fields[<N>].key : media_class_id
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of media_class_id     		Directly mapped from the media_class_id field.
    media_description
    		event.idm.read_only_udm.additional.fields[<N>].key : media_description
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of media_description     		Directly mapped from the media_description field.
    media_encrypted
    		event.idm.read_only_udm.additional.fields[<N>].key : media_encrypted
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of media_encrypted     		Directly mapped from the media_encrypted field.
    media_manufacturer
    		event.idm.read_only_udm.additional.fields[<N>].key : media_manufacturer
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of media_manufacturer     		Directly mapped from the media_manufacturer field.
    media_type
    		event.idm.read_only_udm.additional.fields[<N>].key : media_type
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of media_type     		Directly mapped from the media_type field.
    msg
    		event.idm.read_only_udm.metadata.description Directly mapped from the msg CEF field.
    origin
    		event.idm.read_only_udm.about.ip Directly mapped from the origin CEF field.
    os_name
    		event.idm.read_only_udm.additional.fields[<N>].key : os_name
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of os_name     		Directly mapped from the os_name field.
    os_version
    		event.idm.read_only_udm.principal.asset.platform_software.platform_version Directly mapped from the os_version field.
    policy_date
    		event.idm.read_only_udm.additional.fields[<N>].key : policy_date
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of policy_date     		Directly mapped from the policy_date field.
    policy_guid
    		event.idm.read_only_udm.principal.resource.product_object_id Directly mapped from the policy_guid field.
    policy_name
    		event.idm.read_only_udm.principal.resource.name Directly mapped from the policy_name field.
    policy_number
    		event.idm.read_only_udm.principal.resource.product_object_id Directly mapped from the policy_number field.
    policy_type
    		event.idm.read_only_udm.additional.fields[<N>].key : policy_type
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of policy_type     		Directly mapped from the policy_type field.
    policy_version
    		event.idm.read_only_udm.additional.fields[<N>].key : policy_version
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of policy_version     		Directly mapped from the policy_version field.
    product
    		event.idm.read_only_udm.metadata.product_name Directly mapped from the product CEF field.
    proto
    		event.idm.read_only_udm.network.protocol Directly mapped from the proto field when event_type is Firewall .
    reading_data_access
    		event.idm.read_only_udm.additional.fields[<N>].key : reading_data_access
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of reading_data_access     		Directly mapped from the reading_data_access field.
    requestClientApplication
    		event.idm.read_only_udm.network.http.user_agent Directly mapped from the requestClientApplication field.
    result
    		event.idm.read_only_udm.security_result.summary Directly mapped from the result field.
    rt
    		event.idm.read_only_udm.metadata.event_timestamp.seconds Mapped from the rt field, divided by 1000, and the integer part is taken as seconds.
    rule_name
    		event.idm.read_only_udm.firewall.firewall_rule Directly mapped from the rule_name field when event_type is Firewall .
    s_port
    		event.idm.read_only_udm.network.client.port Directly mapped from the s_port field when event_type is Firewall .
    sequencenum
    		event.idm.read_only_udm.additional.fields[<N>].key : sequencenum
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of sequencenum     		Directly mapped from the sequencenum field.
    service
    		event.idm.read_only_udm.network.target.port Directly mapped from the service field when event_type is Firewall .
    severity
    		event.idm.read_only_udm.security_result.severity Mapped from the severity field and converted to UDM severity values (CRITICAL, HIGH, MEDIUM, LOW, INFO).
    shost
    		event.idm.read_only_udm.principal.hostname Directly mapped from the shost CEF field.
    sig_ver
    		event.idm.read_only_udm.additional.fields[<N>].key : sig_ver
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of sig_ver     		Directly mapped from the sig_ver field.
    src
    		event.idm.read_only_udm.principal.ip Directly mapped from the src CEF field.
    src_machine_name
    		event.idm.read_only_udm.principal.hostname Directly mapped from the src_machine_name field when event_type is empty.
    subject
    		event.idm.read_only_udm.task.task_name Directly mapped from the subject field when event_type is empty.
    suser
    		event.idm.read_only_udm.principal.user.user_display_name Directly mapped from the suser CEF field.
    time
    		event.idm.read_only_udm.metadata.event_timestamp.seconds Directly mapped from the time field and converted to Unix epoch seconds.
    user_name
    		event.idm.read_only_udm.principal.user.email_addresses Directly mapped from the user_name CEF field.
    user_sid
    		event.idm.read_only_udm.principal.user.windows_sid Directly mapped from the user_sid field.
    version
    		event.idm.read_only_udm.additional.fields[<N>].key : version
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of version     		Directly mapped from the version field.
    writing_data_access
    		event.idm.read_only_udm.additional.fields[<N>].key : writing_data_access
    event.idm.read_only_udm.additional.fields[<N>].value.string_value : Value of writing_data_access     		Directly mapped from the writing_data_access field.
    N/A
    		event.idm.read_only_udm.metadata.event_type Set to GENERIC_EVENT if none of principal.ip , principal.hostname , or principal.mac are present in the raw log, otherwise set to STATUS_UPDATE .
    N/A
    		event.idm.read_only_udm.metadata.vendor_name Constant value: Check Point .
    N/A
    		event.idm.read_only_udm.metadata.log_type Constant value: CHECKPOINT_EDR .
    N/A
    		event.idm.read_only_udm.principal.asset.platform_software.platform Set to WINDOWS if os_name contains WINDOWS or Windows .
    N/A
    		event.idm.read_only_udm.network.http.user_agent Set to Check Point Endpoint Security Client if requestClientApplication is present.
    N/A
    		event.edr.data_source Constant value: CHECKPOINT_SANDBLAST when message doesn't contain CEF .

    Change Log

    View the Change Log for this parser

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: