We are currently using the Checkpoint Harmony Email & Collaboration integration to forward logs to our ELK stack. However, we have noticed that the md5
field—which contains the hash values of email attachments—is missing in the parsed events within Elasticsearch, even though it is present in the original JSON payload received via Syslog.
This field is critical for threat detection and correlation in our SIEM dashboards, especially when analyzing DLP and malicious attachment events.
Could this be a parsing issue in the integration package? Or is it expected behavior due to ECS mapping constraints?
Any clarification or update to the integration would be highly appreciated.