Missing md5 field in Harmony Email & Collaboration integration with Elastic

jares · July 23, 2025, 10:52pm

We are currently using the Checkpoint Harmony Email & Collaboration integration to forward logs to our ELK stack. However, we have noticed that the md5 field—which contains the hash values of email attachments—is missing in the parsed events within Elasticsearch, even though it is present in the original JSON payload received via Syslog.

This field is critical for threat detection and correlation in our SIEM dashboards, especially when analyzing DLP and malicious attachment events.

Could this be a parsing issue in the integration package? Or is it expected behavior due to ECS mapping constraints?

Any clarification or update to the integration would be highly appreciated.

andrewkroh · August 19, 2025, 12:06am

Can you share sanitized copy of the event.original value from the checkpoint_email integration where md5 is present that can be used to improve the integration’s test? event.original will be saved in the events produced from the checkpoint API when Preserve original event is toggled on in the integration’s settings.

I don’t see any samples containing md5 in the test data for the integration. So it may be that the field is not used by the pipeline right now.

github.com/elastic/integrations

packages/checkpoint_email/data_stream/event/_dev/test/pipeline/test-event.log

050f9ff9f

{"eventId":"7ded0371a3e1475c9a877e452f23a049","customerId":"us:customername","saas":"office365_emails","entityId":"639c16e1aaa3affd5d3fa4fda5e75765","state":"dismissed","type":"dlp","confidenceIndicator":"malicious","eventCreated":"2024-10-14T20:58:27.073355+00:00","severity":"2","data":"","description":"DLP Engine has detected a leak in ‘please see my credit data’ from user@customer.com","availableEventActions":[{"actionName":"dismiss","actionParameter":{"eventId":"7ded0371a3e1475c9a877e452f23a049"}},{"actionName":"severityChange","actionParameter":{"newSeverity":"Low"}},{"actionName":"severityChange","actionParameter":{"newSeverity":"Medium"}},{"actionName":"severityChange","actionParameter":{"newSeverity":"High"}},{"actionName":"severityChange","actionParameter":{"newSeverity":"Highest"}}]}
{"eventId":"d6e8be30e46748e1a378f115a56f9554","customerId":"elasticsiem","saas":"google_mail","entityId":"32a9bba544c51e4b8cdb1b76183af986","state":"new","type":"anomaly","confidenceIndicator":"detected","eventCreated":"2024-10-04T16:34:33.378000+00:00","severity":"3","description":"info@example.com performed geo-suspicious events: performed activity (login_success) from India (89.160.20.112) and after 10 minutes performed activity (login_success) from United States (216.160.83.56)","data":"#{\"entity_id\": \"104051470704619589250\", \"entity_type\": \"google_user\", \"label\": \"info@example.com\"} performed geo-suspicious events: #{\"entity_id\": \"ce69edfa246e920b3bbe4497bf920cef\", \"entity_type\": \"google_event_login\", \"label\": \"performed activity (login_success)\"} from India (89.160.20.112) and after 9 minutes #{\"entity_id\": \"32a9bba544c51e4b8cdb1b76183af986\", \"entity_type\": \"google_event_login\", \"label\": \"performed activity (login_success)\"} from United States (216.160.83.56)","additionalData":null,"availableEventActions":null,"actions":[],"senderAddress":"test@example.com","entityLink":"https://in.portal.checkpoint.com/dashboard/email&collaboration/CGS1?route=cHJvZmlsZS9nb29nbGVfZXZlbnRfbG9naW4vMzJhOWJiYTU0NGM1MWU0YjhjZGIxYjc2MTgzYWY5ODY="}
{"eventId":"d6e8be30123456789378f01234567894","customerId":"elasticsiem","saas":"google_mail","entityId":"32a9bba1234567898cdb123456789086","state":"detected","type":"malware","confidenceIndicator":"malicious","eventCreated":"2024-10-16T16:34:33.378000+00:00","severity":"4","description":"info@example.com performed geo-suspicious events: performed activity (login_success) from India (175.16.199.1) and after 9 minutes performed activity (login_success) from United States (67.43.156.0)","data":"#{\"entity_id\": \"10412345678919589250\", \"entity_type\": \"google_user\", \"label\": \"info@example.com\"} performed geo-suspicious events: #{\"entity_id\": \"32a9bba1234567898cdb123456789086\", \"entity_type\": \"google_event_login\", \"label\": \"performed activity (login_success)\"} from India (175.16.199.1) and after 9 minutes #{\"entity_id\": \"32a9bba1234567898cdb123456789086\", \"entity_type\": \"google_event_login\", \"label\": \"performed activity (login_success)\"} from United States (67.43.156.0)","additionalData":null,"availableEventActions":null,"actions":[],"senderAddress":"support_edge@example.com","entityLink":"https://in.portal.checkpoint.com/dashboard/email&collaboration/CGS1?route=cHJvZmlsZS9nb29nbGVfZXZlbfvwjfhsdhbvjwvFVFVfvfvGERVsagrbrtRTHRTbfvergerergERBETvregerY="}
{"eventId":"a6d8674a04c30123456789e4d3ebd98","customerId":"exampletest","saas":"google_mail","entityId":"25e0c50123456789e351b0dafa6aafa6","state":"pending","type":"shadow_it","confidenceIndicator":"detected","eventCreated":"2024-10-14T07:02:11.229935+00:00","severity":"3","description":"Shadow IT - john@example.com is using google.com (Search Engine)","data":"#{\"entity_id\": \"a6d8674a04c30123456789e4d3ebd98\", \"entity_type\": \"google_mail_email\", \"label\": \"Shadow IT\"} - #{\"entity_id\": \"113012345678906535444\", \"entity_type\": \"google_user\", \"label\": \"john@example.com\"} is using #{\"entity_id\": \"google.com\", \"entity_type\": \"av_dns_info\", \"label\": \"google.com (Search Engine)\"}","additionalData":null,"availableEventActions":null,"actions":[],"senderAddress":"google-workspace-alerts-noreply@google.com","entityLink":"https://in.portal.checkpoint.com/dashboard/email&collaboration/CGS1?route=cHJvZmlsZS9nsfhvbksdvnjhvdfVBsdbdfFbdbdBDBBdbrtHyujYJNtnhtnhtnOTIxZTM1MWIwZGFmYTZhYWZhNg=="}
{"eventId":"fef4dabcdef0123456789143a5d1b249","customerId":"elastictest","saas":"google_mail","entityId":"f6abcdef01234567892b6d2d35c4b53a","state":"remediated","type":"shadow_it","confidenceIndicator":"detected","eventCreated":"2024-10-14T07:02:14.525285+00:00","severity":"3","description":"Shadow IT - bob@example.com is using google.com (Search Engine)","data":"#{\"entity_id\": \"fef4dabcdef0123456789143a5d1b249\", \"entity_type\": \"google_mail_email\", \"label\": \"Shadow IT\"} - #{\"entity_id\": \"102580123456789888330\", \"entity_type\": \"google_user\", \"label\": \"bob@exa

This file has been truncated. show original

Topic		Replies	Views
Microsoft Filebeat Module - Lack of ECS utilization Beats ecs-elastic-common-schema , filebeat	7	474	October 25, 2022
Additional Variable adding in Detection EMAIL body Elastic Security elastic-stack-alerting , detection-rules	5	875	June 20, 2021
Office 365 Filebeat Module - Improve ECS utilization Beats ecs-elastic-common-schema , filebeat	3	733	October 25, 2022
Imap emails attachments Logstash	2	986	June 14, 2018
Email attachements Logstash	3	650	June 12, 2018

Missing md5 field in Harmony Email & Collaboration integration with Elastic

Related topics