Check Point pipes email telemetry into CrowdStrike SIEM
Check Point announced that email security telemetry can now flow into CrowdStrike Falcon Next‑Gen SIEM, enabling correlation of inbox threats with endpoint and identity signals. That integration tightens the email→identity→endpoint detection chain and changes how SIEM correlation searches should be composed. (globenewswire.com)
Check Point framed the connector as part of its "Open Garden" strategy and said it will unify telemetry from Email & Collaboration Security, Hybrid Mesh, Exposure Management and Workspace into the CrowdStrike Falcon platform. (checkpoint.com) Harmony Email & Collaboration can forward events in multiple formats—including "JSON (Splunk HEC/CIM compatible)" and "CrowdStrike ECS compatible"—allowing direct ingestion into Splunk HEC or CrowdStrike Falcon Next‑Gen SIEM pipelines. (sc1.checkpoint.com) Jonathan Gold Shalev, Head of Product Management for Email Security at Check Point, called email "a primary entry point for credential theft and account takeover," highlighting why email telemetry should be treated as an identity signal in detection logic. (checkpoint.com) CrowdStrike’s Falcon Next‑Gen SIEM explicitly advertises rapid third‑party telemetry ingestion, UEBA, and GenAI workflow automation for cross‑signal correlation—capabilities that permit joining Check Point email events with endpoint authentication anomalies and process telemetry. ( ) Practical Splunk detection guidance: normalize Check Point email fields (for example eventStates, actionName and click‑time exception objects) into Splunk CIM email/auth fields, use mailbox address or userPrincipalName and Message‑ID as join keys, then correlate phishing/verdict events with failed MFA, impossible travel, or new‑device authentications. ( ) For multi‑client Splunk deployments and fast defense‑industry onboarding, create per‑customer indexes and per‑tenant HEC tokens for Check Point JSON streams, apply CIM mapping via a shared TA to enable reuse of saved searches/macros, and document index/sourcetype conventions for DoD audit trails. ( ) Map email→identity→endpoint correlation artifacts to the DoD Zero Trust "User" pillar controls by surfacing MFA failures, account takeover indicators, phishing verdicts and anomalous authentications in a single dashboard, aligning against the DoD Zero Trust Reference Architecture's User pillar and its capability outcomes. ( )
