Missing md5 field in Harmony Email & Collaboration integration with Elastic

We are currently using the Checkpoint Harmony Email & Collaboration integration to forward logs to our ELK stack. However, we have noticed that the md5 field—which contains the hash values of email attachments—is missing in the parsed events within Elasticsearch, even though it is present in the original JSON payload received via Syslog.

This field is critical for threat detection and correlation in our SIEM dashboards, especially when analyzing DLP and malicious attachment events.

Could this be a parsing issue in the integration package? Or is it expected behavior due to ECS mapping constraints?

Any clarification or update to the integration would be highly appreciated.

Can you share sanitized copy of the event.original value from the checkpoint_email integration where md5 is present that can be used to improve the integration’s test? event.original will be saved in the events produced from the checkpoint API when Preserve original event is toggled on in the integration’s settings.

I don’t see any samples containing md5 in the test data for the integration. So it may be that the field is not used by the pipeline right now.