Checkpoint Harmony Email and Collaboration
Overview
Check Point Harmony Email & Collaboration Suite Security delivers unified protection for email, cloud storage and collaboration apps (Office 365, Google Workspace, Teams, Slack). Advanced anti-phishing, zero-day malware sandboxing, URL defense and data loss prevention stop BEC, ransomware and data leaks. Centrally managed with granular policies, threat intelligence and real-time insights for seamless workspace security.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
- Vendor: Check Point
- Supported environment: SaaS
- Detection based on: Telemetry, Alert
- Supported application or feature: Email gateway, Cloud security
Supported events
This integration supports the following event types:
phishingmalwaresuspicious malwaredlpanomalyshadow_itmalicious_url_clickmalicious_urlalert
Configure
How To Set Up The Forwarding
-
Log in to the Checkpoint Harmony portal
-
Go to the Checkpoint Harmony Email & Collaboration interface
-
On the left panel, navigate to
Security Settings>Security Engines
-
Scroll down to the
SIEM Integrationsection -
Click
Configure
-
Select
HTTP Collectoras Transport -
Type
https://intake.sekoia.io/plainas HTTP Collector URL
Warning
The previous URL works for the FRA1 region. For any other region, replace the domain “intake.sekoia.io” with your region’s HTTP-intake domain—for example:
https://app.usa1.sekoia.io/api/v1/intake-http
You can find your region’s domain here: https://docs.sekoia.io/getting_started/regions/
-
Select
JSONas Format -
Enable
Add custom header -
Type
X-SEKOIAIO-INTAKE-KEYas the Custom header name -
Type your intake key as the Custom header value
-
Click
Save
Info
Events can take up to 15 minutes to be sent by Checkpoint Harmony after being generated.
Create an intake
- Go to the intake page and create a new intake from the format
Checkpoint Harmony Email & Collaboration. - Copy the intake key that was generated.
- Use this intake key in the Checkpoint Harmony configuration as described above.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"event": {
"security_event": {
"entity_info": {
"customer_cluster": [
"8"
],
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "checkpoint",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:22.780083+00:00",
"entity_expiration": 1784739622,
"entity_id": "00000000000000000000000000000000",
"entity_reporter": "emails-9097588-8",
"entity_sub_type": "dlp",
"entity_type": "security_event",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "11111111111111111111111111111111",
"category": "alert",
"confidence_indicator": "detected",
"confidence_level": 5,
"current_state": "detected",
"description": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected #{\"label\": \"PCI\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"}'s mailbox)",
"description_short": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected a leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"})",
"description_text": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"description_tooltips": [
"Member",
"John Doe",
"Credit card number",
"john.doe@mycorp.com",
"2026-01-13T17:00:12",
"Detected"
],
"event_metadata": {
"sender_address": "john.doe@mycorp.com",
"is_internal": null,
"spam_verdict": null,
"is_outgoing": null,
"dlp_detections": [
"Credit card number"
]
},
"event_trigger": {
"type": "Policy",
"id": 17682366990433
},
"matched_security_tool": "avanan_dlp",
"metadata_json": {
"impersonation_description": "Other",
"impersonate_nickname_new": null
},
"multi": false,
"policy_rule_id": 17682366990433,
"saas": "office365_emails",
"severity": 3
},
"entity_security_result": {},
"saas_info": {
"account_id": [
"00000000-0000-0000-0000-000000000000"
],
"entity_id": "22222222222222222222222222222222",
"entity_type": "office365_emails_email",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_creation_time": null,
"saas_spam_verdict": null
},
"security_event_action": [
{
"actor": "checkpoint",
"sec_event_id": "00000000000000000000000000000000",
"error": "",
"create_time": "2026-01-13T17:00:24.438085Z",
"action_type": "send_email_to"
}
],
"time": "2026-01-13T17:00:24.508990Z",
"_id": "11111111111111111111111111111111111111111111111111111111111"
},
"entity": {
"entity_info": {
"customer_cluster": "8",
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "Check Point",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:17.465214Z",
"entity_expiration": 1783962017,
"entity_id": "22222222222222222222222222222222",
"entity_reporter": "emails-9097588-8",
"entity_type": "office365_emails_email",
"entity_updated": "2026-01-13T17:00:17.465218Z",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "33333333333333333333333333333333",
"attachment_count": 0,
"attachments": [],
"bcc": [],
"bcc_user": [],
"body_content_type": "HTML",
"cc": [],
"cc_user": [],
"containers_ids": null,
"containers_names": null,
"dkim_result": "none",
"dmarc_result": "none",
"email_split": "original",
"encryption_status": null,
"envelope_from": null,
"first_folder_name": null,
"folder_history": [],
"forwarder_email": null,
"from_domain": "mycorp.com",
"from_email": "john.doe@mycorp.com",
"from_id": "00000000-0000-0000-0000-000000000000",
"from_name": "John Doe",
"geo_city": "Rennes",
"geo_country": "France",
"geo_region": "Ille-et-Vilaine",
"has_calendar_event": false,
"has_encrypted_attachments": false,
"has_internal_recipient": false,
"insert_time_sqs": "2026-01-13T17:00:17.147000Z",
"internet_message_id": "<O000000000000000000000000000000000@example.com>",
"is_attachment_changed": false,
"is_attachment_restored": false,
"is_body_changed": false,
"is_deleted": false,
"is_encrypted_attachments_removed": null,
"is_first_in_junk": null,
"is_group_user": null,
"is_in_junk": null,
"is_in_s3_quarantine": false,
"is_incoming": false,
"is_inline_handled": false,
"is_internal": false,
"is_links_replaced": false,
"is_outgoing": true,
"is_quarantine_notification": false,
"is_quarantine_user_notification": false,
"is_quarantined": false,
"is_read": null,
"is_restore_declined": false,
"is_restore_requested": false,
"is_restored": false,
"is_sent_from_internal": true,
"is_signed": false,
"is_spam_header_added": false,
"is_splittable": true,
"is_subject_changed": false,
"is_wd_rescan": false,
"manager_address": null,
"matched_workflows": null,
"mode": "monitor",
"ms_quarantine_status": null,
"ms_quarantine_verdict_type": null,
"network_message_id": "66666666-6666-6666-6666-666666666666",
"orig_message_id": null,
"orig_recipient": "john.doe@mycorp.com",
"orig_subject": null,
"password_protected_require_password_time": null,
"password_protected_restore_time": null,
"password_protected_status": null,
"password_protected_uuid": null,
"quarantine_actor": null,
"quarantine_time": null,
"quarantine_uuid": null,
"recipients": [
"jane.doe@test.com"
],
"recipients_hash": "dc44eaf82ea2617fa505c3186253638b",
"recipients_journal": [
"jane.doe@test.com"
],
"recipients_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"reply_to_email": null,
"reply_to_nickname": null,
"report_phishing_blacklist_time": null,
"report_phishing_decline_actor": null,
"report_phishing_decline_reason": null,
"report_phishing_decline_time": null,
"report_phishing_detection_time": null,
"report_phishing_email_hash_md5": null,
"report_phishing_original": null,
"report_phishing_service_name": null,
"report_phishing_service_type": null,
"report_phishing_source": null,
"request_password_at": null,
"restore_actor": null,
"restore_commentary": null,
"restore_decline_actor": null,
"restore_decline_reason": null,
"restore_decline_time": null,
"restore_request_actor_type": null,
"restore_request_source": null,
"restore_request_time": null,
"restore_time": null,
"restored_message_id": null,
"saas_phishing_verdict": null,
"saas_spam_verdict": "1",
"sender_client_ip": "1.2.3.4",
"sender_server_ip": "2001:db8::2fe5",
"sent_datetime": "2026-01-13T17:00:12Z",
"size": 19472,
"smart_banner_category": null,
"source": "mta",
"spf_result": null,
"subject": "Credit card number",
"to": [
"jane.doe@test.com"
],
"to_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"workflow": null
},
"entity_security_result": {
"ap": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 71.57221,
"status_description": null,
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ap",
"payload": {
"reasons_by_category_list": [],
"reasons_by_category": {},
"reasons": []
},
"verdict": "clean",
"security_result_entity_type": "avanan_ap_scan",
"entity_id": "22222222222222222222222222222222"
}
],
"combined_dlp_hit_count": 1,
"combined_verdict": {
"dlp": "leak",
"ms_defender": "clean",
"ap": "clean"
},
"dlp": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "DLP rule match: PCI",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "dlp",
"payload": {
"matches_dlp_rules": [
"PCI"
],
"found_text": [
"****************111"
],
"scan_details": [
"Credit card number (likely): ****************111"
],
"hit_count": 1
},
"verdict": "leak",
"security_result_entity_type": "avanan_dlp",
"entity_id": "22222222222222222222222222222222"
}
],
"findings_summary": [
{
"sectool_name": "avanan_dlp",
"sectool_type": "dlp",
"verdict": "leak"
}
],
"is_clean": false,
"ms_defender": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ms_defender",
"payload": {
"bcl": "0",
"policy_action": "delivered",
"detection_reason": "non_spam",
"scl": "1",
"policy_applied": "none"
},
"verdict": "clean",
"security_result_entity_type": "ms_defender_scan",
"entity_id": "22222222222222222222222222222222"
}
]
},
"saas_info": {
"saas_actor_id": "john.doe@mycorp.com",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_actor_type": "office365_emails_user",
"saas_entity_created": "2026-01-13T17:00:12Z",
"saas_entity_type": "email",
"saas_id": "office365_emails"
},
"time": "2026-01-13T17:00:34.076069Z"
}
}
}
{
"event": {
"security_event": {
"entity_info": {
"customer_cluster": [
"8"
],
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "checkpoint",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:22.780083+00:00",
"entity_expiration": 1784739622,
"entity_id": "00000000000000000000000000000000",
"entity_reporter": "emails-9097588-8",
"entity_sub_type": "dlp",
"entity_type": "security_event",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "11111111111111111111111111111111",
"category": "anomaly",
"confidence_indicator": "detected",
"confidence_level": 5,
"current_state": "detected",
"description": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected #{\"label\": \"PCI\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"}'s mailbox)",
"description_short": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected a leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"})",
"description_text": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"description_tooltips": [
"Member",
"John Doe",
"Credit card number",
"john.doe@mycorp.com",
"2026-01-13T17:00:12",
"Detected"
],
"event_metadata": {
"sender_address": "john.doe@mycorp.com",
"is_internal": null,
"spam_verdict": null,
"is_outgoing": null,
"dlp_detections": [
"Credit card number"
]
},
"event_trigger": {
"type": "Policy",
"id": 17682366990433
},
"matched_security_tool": "avanan_dlp",
"metadata_json": {
"impersonation_description": "Other",
"impersonate_nickname_new": null
},
"multi": false,
"policy_rule_id": 17682366990433,
"saas": "office365_emails",
"severity": 3
},
"entity_security_result": {},
"saas_info": {
"account_id": [
"00000000-0000-0000-0000-000000000000"
],
"entity_id": "22222222222222222222222222222222",
"entity_type": "office365_emails_email",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_creation_time": null,
"saas_spam_verdict": null
},
"security_event_action": [
{
"actor": "checkpoint",
"sec_event_id": "00000000000000000000000000000000",
"error": "",
"create_time": "2026-01-13T17:00:24.438085Z",
"action_type": "send_email_to"
}
],
"time": "2026-01-13T17:00:24.508990Z",
"_id": "11111111111111111111111111111111111111111111111111111111111"
},
"entity": {
"entity_info": {
"customer_cluster": "8",
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "Check Point",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:17.465214Z",
"entity_expiration": 1783962017,
"entity_id": "22222222222222222222222222222222",
"entity_reporter": "emails-9097588-8",
"entity_type": "office365_emails_email",
"entity_updated": "2026-01-13T17:00:17.465218Z",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "33333333333333333333333333333333",
"attachment_count": 0,
"attachments": [],
"bcc": [],
"bcc_user": [],
"body_content_type": "HTML",
"cc": [],
"cc_user": [],
"containers_ids": null,
"containers_names": null,
"dkim_result": "none",
"dmarc_result": "none",
"email_split": "original",
"encryption_status": null,
"envelope_from": null,
"first_folder_name": null,
"folder_history": [],
"forwarder_email": null,
"from_domain": "mycorp.com",
"from_email": "john.doe@mycorp.com",
"from_id": "00000000-0000-0000-0000-000000000000",
"from_name": "John Doe",
"geo_city": "Rennes",
"geo_country": "France",
"geo_region": "Ille-et-Vilaine",
"has_calendar_event": false,
"has_encrypted_attachments": false,
"has_internal_recipient": false,
"insert_time_sqs": "2026-01-13T17:00:17.147000Z",
"internet_message_id": "<O000000000000000000000000000000000@example.com>",
"is_attachment_changed": false,
"is_attachment_restored": false,
"is_body_changed": false,
"is_deleted": false,
"is_encrypted_attachments_removed": null,
"is_first_in_junk": null,
"is_group_user": null,
"is_in_junk": null,
"is_in_s3_quarantine": false,
"is_incoming": false,
"is_inline_handled": false,
"is_internal": false,
"is_links_replaced": false,
"is_outgoing": true,
"is_quarantine_notification": false,
"is_quarantine_user_notification": false,
"is_quarantined": false,
"is_read": null,
"is_restore_declined": false,
"is_restore_requested": false,
"is_restored": false,
"is_sent_from_internal": true,
"is_signed": false,
"is_spam_header_added": false,
"is_splittable": true,
"is_subject_changed": false,
"is_wd_rescan": false,
"manager_address": null,
"matched_workflows": null,
"mode": "monitor",
"ms_quarantine_status": null,
"ms_quarantine_verdict_type": null,
"network_message_id": "66666666-6666-6666-6666-666666666666",
"orig_message_id": null,
"orig_recipient": "john.doe@mycorp.com",
"orig_subject": null,
"password_protected_require_password_time": null,
"password_protected_restore_time": null,
"password_protected_status": null,
"password_protected_uuid": null,
"quarantine_actor": null,
"quarantine_time": null,
"quarantine_uuid": null,
"recipients": [
"jane.doe@test.com"
],
"recipients_hash": "dc44eaf82ea2617fa505c3186253638b",
"recipients_journal": [
"jane.doe@test.com"
],
"recipients_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"reply_to_email": null,
"reply_to_nickname": null,
"report_phishing_blacklist_time": null,
"report_phishing_decline_actor": null,
"report_phishing_decline_reason": null,
"report_phishing_decline_time": null,
"report_phishing_detection_time": null,
"report_phishing_email_hash_md5": null,
"report_phishing_original": null,
"report_phishing_service_name": null,
"report_phishing_service_type": null,
"report_phishing_source": null,
"request_password_at": null,
"restore_actor": null,
"restore_commentary": null,
"restore_decline_actor": null,
"restore_decline_reason": null,
"restore_decline_time": null,
"restore_request_actor_type": null,
"restore_request_source": null,
"restore_request_time": null,
"restore_time": null,
"restored_message_id": null,
"saas_phishing_verdict": null,
"saas_spam_verdict": "1",
"sender_client_ip": "1.2.3.4",
"sender_server_ip": "2001:db8::2fe5",
"sent_datetime": "2026-01-13T17:00:12Z",
"size": 19472,
"smart_banner_category": null,
"source": "mta",
"spf_result": null,
"subject": "Credit card number",
"to": [
"jane.doe@test.com"
],
"to_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"workflow": null
},
"entity_security_result": {
"ap": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 71.57221,
"status_description": null,
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ap",
"payload": {
"reasons_by_category_list": [],
"reasons_by_category": {},
"reasons": []
},
"verdict": "clean",
"security_result_entity_type": "avanan_ap_scan",
"entity_id": "22222222222222222222222222222222"
}
],
"combined_dlp_hit_count": 1,
"combined_verdict": {
"dlp": "leak",
"ms_defender": "clean",
"ap": "clean"
},
"dlp": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "DLP rule match: PCI",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "dlp",
"payload": {
"matches_dlp_rules": [
"PCI"
],
"found_text": [
"****************111"
],
"scan_details": [
"Credit card number (likely): ****************111"
],
"hit_count": 1
},
"verdict": "leak",
"security_result_entity_type": "avanan_dlp",
"entity_id": "22222222222222222222222222222222"
}
],
"findings_summary": [
{
"sectool_name": "avanan_dlp",
"sectool_type": "dlp",
"verdict": "leak"
}
],
"is_clean": false,
"ms_defender": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ms_defender",
"payload": {
"bcl": "0",
"policy_action": "delivered",
"detection_reason": "non_spam",
"scl": "1",
"policy_applied": "none"
},
"verdict": "clean",
"security_result_entity_type": "ms_defender_scan",
"entity_id": "22222222222222222222222222222222"
}
]
},
"saas_info": {
"saas_actor_id": "john.doe@mycorp.com",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_actor_type": "office365_emails_user",
"saas_entity_created": "2026-01-13T17:00:12Z",
"saas_entity_type": "email",
"saas_id": "office365_emails"
},
"time": "2026-01-13T17:00:34.076069Z"
}
}
}
{
"event": {
"security_event": {
"entity_info": {
"customer_cluster": [
"8"
],
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "checkpoint",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:22.780083+00:00",
"entity_expiration": 1784739622,
"entity_id": "00000000000000000000000000000000",
"entity_reporter": "emails-9097588-8",
"entity_sub_type": "dlp",
"entity_type": "security_event",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "11111111111111111111111111111111",
"category": "dlp",
"confidence_indicator": "detected",
"confidence_level": 5,
"current_state": "detected",
"description": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected #{\"label\": \"PCI\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"}'s mailbox)",
"description_short": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected a leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"})",
"description_text": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"description_tooltips": [
"Member",
"John Doe",
"Credit card number",
"john.doe@mycorp.com",
"2026-01-13T17:00:12",
"Detected"
],
"event_metadata": {
"sender_address": "john.doe@mycorp.com",
"is_internal": null,
"spam_verdict": null,
"is_outgoing": null,
"dlp_detections": [
"Credit card number"
]
},
"event_trigger": {
"type": "Policy",
"id": 17682366990433
},
"matched_security_tool": "avanan_dlp",
"metadata_json": {
"impersonation_description": "Other",
"impersonate_nickname_new": null
},
"multi": false,
"policy_rule_id": 17682366990433,
"saas": "office365_emails",
"severity": 3
},
"entity_security_result": {},
"saas_info": {
"account_id": [
"00000000-0000-0000-0000-000000000000"
],
"entity_id": "22222222222222222222222222222222",
"entity_type": "office365_emails_email",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_creation_time": null,
"saas_spam_verdict": null
},
"security_event_action": [
{
"actor": "checkpoint",
"sec_event_id": "00000000000000000000000000000000",
"error": "",
"create_time": "2026-01-13T17:00:24.438085Z",
"action_type": "send_email_to"
}
],
"time": "2026-01-13T17:00:24.508990Z",
"_id": "11111111111111111111111111111111111111111111111111111111111"
},
"entity": {
"entity_info": {
"customer_cluster": "8",
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "Check Point",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:17.465214Z",
"entity_expiration": 1783962017,
"entity_id": "22222222222222222222222222222222",
"entity_reporter": "emails-9097588-8",
"entity_type": "office365_emails_email",
"entity_updated": "2026-01-13T17:00:17.465218Z",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "33333333333333333333333333333333",
"attachment_count": 0,
"attachments": [],
"bcc": [],
"bcc_user": [],
"body_content_type": "HTML",
"cc": [],
"cc_user": [],
"containers_ids": null,
"containers_names": null,
"dkim_result": "none",
"dmarc_result": "none",
"email_split": "original",
"encryption_status": null,
"envelope_from": null,
"first_folder_name": null,
"folder_history": [],
"forwarder_email": null,
"from_domain": "mycorp.com",
"from_email": "john.doe@mycorp.com",
"from_id": "00000000-0000-0000-0000-000000000000",
"from_name": "John Doe",
"geo_city": "Rennes",
"geo_country": "France",
"geo_region": "Ille-et-Vilaine",
"has_calendar_event": false,
"has_encrypted_attachments": false,
"has_internal_recipient": false,
"insert_time_sqs": "2026-01-13T17:00:17.147000Z",
"internet_message_id": "<O000000000000000000000000000000000@example.com>",
"is_attachment_changed": false,
"is_attachment_restored": false,
"is_body_changed": false,
"is_deleted": false,
"is_encrypted_attachments_removed": null,
"is_first_in_junk": null,
"is_group_user": null,
"is_in_junk": null,
"is_in_s3_quarantine": false,
"is_incoming": false,
"is_inline_handled": false,
"is_internal": false,
"is_links_replaced": false,
"is_outgoing": true,
"is_quarantine_notification": false,
"is_quarantine_user_notification": false,
"is_quarantined": false,
"is_read": null,
"is_restore_declined": false,
"is_restore_requested": false,
"is_restored": false,
"is_sent_from_internal": true,
"is_signed": false,
"is_spam_header_added": false,
"is_splittable": true,
"is_subject_changed": false,
"is_wd_rescan": false,
"manager_address": null,
"matched_workflows": null,
"mode": "monitor",
"ms_quarantine_status": null,
"ms_quarantine_verdict_type": null,
"network_message_id": "66666666-6666-6666-6666-666666666666",
"orig_message_id": null,
"orig_recipient": "john.doe@mycorp.com",
"orig_subject": null,
"password_protected_require_password_time": null,
"password_protected_restore_time": null,
"password_protected_status": null,
"password_protected_uuid": null,
"quarantine_actor": null,
"quarantine_time": null,
"quarantine_uuid": null,
"recipients": [
"jane.doe@test.com"
],
"recipients_hash": "dc44eaf82ea2617fa505c3186253638b",
"recipients_journal": [
"jane.doe@test.com"
],
"recipients_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"reply_to_email": null,
"reply_to_nickname": null,
"report_phishing_blacklist_time": null,
"report_phishing_decline_actor": null,
"report_phishing_decline_reason": null,
"report_phishing_decline_time": null,
"report_phishing_detection_time": null,
"report_phishing_email_hash_md5": null,
"report_phishing_original": null,
"report_phishing_service_name": null,
"report_phishing_service_type": null,
"report_phishing_source": null,
"request_password_at": null,
"restore_actor": null,
"restore_commentary": null,
"restore_decline_actor": null,
"restore_decline_reason": null,
"restore_decline_time": null,
"restore_request_actor_type": null,
"restore_request_source": null,
"restore_request_time": null,
"restore_time": null,
"restored_message_id": null,
"saas_phishing_verdict": null,
"saas_spam_verdict": "1",
"sender_client_ip": "1.2.3.4",
"sender_server_ip": "2001:db8::2fe5",
"sent_datetime": "2026-01-13T17:00:12Z",
"size": 19472,
"smart_banner_category": null,
"source": "mta",
"spf_result": null,
"subject": "Credit card number",
"to": [
"jane.doe@test.com"
],
"to_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"workflow": null
},
"entity_security_result": {
"ap": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 71.57221,
"status_description": null,
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ap",
"payload": {
"reasons_by_category_list": [],
"reasons_by_category": {},
"reasons": []
},
"verdict": "clean",
"security_result_entity_type": "avanan_ap_scan",
"entity_id": "22222222222222222222222222222222"
}
],
"combined_dlp_hit_count": 1,
"combined_verdict": {
"dlp": "leak",
"ms_defender": "clean",
"ap": "clean"
},
"dlp": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "DLP rule match: PCI",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "dlp",
"payload": {
"matches_dlp_rules": [
"PCI"
],
"found_text": [
"****************111"
],
"scan_details": [
"Credit card number (likely): ****************111"
],
"hit_count": 1
},
"verdict": "leak",
"security_result_entity_type": "avanan_dlp",
"entity_id": "22222222222222222222222222222222"
}
],
"findings_summary": [
{
"sectool_name": "avanan_dlp",
"sectool_type": "dlp",
"verdict": "leak"
}
],
"is_clean": false,
"ms_defender": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ms_defender",
"payload": {
"bcl": "0",
"policy_action": "delivered",
"detection_reason": "non_spam",
"scl": "1",
"policy_applied": "none"
},
"verdict": "clean",
"security_result_entity_type": "ms_defender_scan",
"entity_id": "22222222222222222222222222222222"
}
]
},
"saas_info": {
"saas_actor_id": "john.doe@mycorp.com",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_actor_type": "office365_emails_user",
"saas_entity_created": "2026-01-13T17:00:12Z",
"saas_entity_type": "email",
"saas_id": "office365_emails"
},
"time": "2026-01-13T17:00:34.076069Z"
}
}
}
{
"event": {
"security_event": {
"entity_info": {
"customer_cluster": [
"8"
],
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "checkpoint",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:22.780083+00:00",
"entity_expiration": 1784739622,
"entity_id": "00000000000000000000000000000000",
"entity_reporter": "emails-9097588-8",
"entity_sub_type": "dlp",
"entity_type": "security_event",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "11111111111111111111111111111111",
"category": "malicious_url_click",
"confidence_indicator": "detected",
"confidence_level": 5,
"current_state": "detected",
"description": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected #{\"label\": \"PCI\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"}'s mailbox)",
"description_short": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected a leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"})",
"description_text": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"description_tooltips": [
"Member",
"John Doe",
"Credit card number",
"john.doe@mycorp.com",
"2026-01-13T17:00:12",
"Detected"
],
"event_metadata": {
"sender_address": "john.doe@mycorp.com",
"is_internal": null,
"spam_verdict": null,
"is_outgoing": null,
"dlp_detections": [
"Credit card number"
]
},
"event_trigger": {
"type": "Policy",
"id": 17682366990433
},
"matched_security_tool": "avanan_dlp",
"metadata_json": {
"impersonation_description": "Other",
"impersonate_nickname_new": null
},
"multi": false,
"policy_rule_id": 17682366990433,
"saas": "office365_emails",
"severity": 3
},
"entity_security_result": {},
"saas_info": {
"account_id": [
"00000000-0000-0000-0000-000000000000"
],
"entity_id": "22222222222222222222222222222222",
"entity_type": "office365_emails_email",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_creation_time": null,
"saas_spam_verdict": null
},
"security_event_action": [
{
"actor": "checkpoint",
"sec_event_id": "00000000000000000000000000000000",
"error": "",
"create_time": "2026-01-13T17:00:24.438085Z",
"action_type": "send_email_to"
}
],
"time": "2026-01-13T17:00:24.508990Z",
"_id": "11111111111111111111111111111111111111111111111111111111111"
},
"entity": {
"entity_info": {
"customer_cluster": "8",
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "Check Point",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:17.465214Z",
"entity_expiration": 1783962017,
"entity_id": "22222222222222222222222222222222",
"entity_reporter": "emails-9097588-8",
"entity_type": "office365_emails_email",
"entity_updated": "2026-01-13T17:00:17.465218Z",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "33333333333333333333333333333333",
"attachment_count": 0,
"attachments": [],
"bcc": [],
"bcc_user": [],
"body_content_type": "HTML",
"cc": [],
"cc_user": [],
"containers_ids": null,
"containers_names": null,
"dkim_result": "none",
"dmarc_result": "none",
"email_split": "original",
"encryption_status": null,
"envelope_from": null,
"first_folder_name": null,
"folder_history": [],
"forwarder_email": null,
"from_domain": "mycorp.com",
"from_email": "john.doe@mycorp.com",
"from_id": "00000000-0000-0000-0000-000000000000",
"from_name": "John Doe",
"geo_city": "Rennes",
"geo_country": "France",
"geo_region": "Ille-et-Vilaine",
"has_calendar_event": false,
"has_encrypted_attachments": false,
"has_internal_recipient": false,
"insert_time_sqs": "2026-01-13T17:00:17.147000Z",
"internet_message_id": "<O000000000000000000000000000000000@example.com>",
"is_attachment_changed": false,
"is_attachment_restored": false,
"is_body_changed": false,
"is_deleted": false,
"is_encrypted_attachments_removed": null,
"is_first_in_junk": null,
"is_group_user": null,
"is_in_junk": null,
"is_in_s3_quarantine": false,
"is_incoming": false,
"is_inline_handled": false,
"is_internal": false,
"is_links_replaced": false,
"is_outgoing": true,
"is_quarantine_notification": false,
"is_quarantine_user_notification": false,
"is_quarantined": false,
"is_read": null,
"is_restore_declined": false,
"is_restore_requested": false,
"is_restored": false,
"is_sent_from_internal": true,
"is_signed": false,
"is_spam_header_added": false,
"is_splittable": true,
"is_subject_changed": false,
"is_wd_rescan": false,
"manager_address": null,
"matched_workflows": null,
"mode": "monitor",
"ms_quarantine_status": null,
"ms_quarantine_verdict_type": null,
"network_message_id": "66666666-6666-6666-6666-666666666666",
"orig_message_id": null,
"orig_recipient": "john.doe@mycorp.com",
"orig_subject": null,
"password_protected_require_password_time": null,
"password_protected_restore_time": null,
"password_protected_status": null,
"password_protected_uuid": null,
"quarantine_actor": null,
"quarantine_time": null,
"quarantine_uuid": null,
"recipients": [
"jane.doe@test.com"
],
"recipients_hash": "dc44eaf82ea2617fa505c3186253638b",
"recipients_journal": [
"jane.doe@test.com"
],
"recipients_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"reply_to_email": null,
"reply_to_nickname": null,
"report_phishing_blacklist_time": null,
"report_phishing_decline_actor": null,
"report_phishing_decline_reason": null,
"report_phishing_decline_time": null,
"report_phishing_detection_time": null,
"report_phishing_email_hash_md5": null,
"report_phishing_original": null,
"report_phishing_service_name": null,
"report_phishing_service_type": null,
"report_phishing_source": null,
"request_password_at": null,
"restore_actor": null,
"restore_commentary": null,
"restore_decline_actor": null,
"restore_decline_reason": null,
"restore_decline_time": null,
"restore_request_actor_type": null,
"restore_request_source": null,
"restore_request_time": null,
"restore_time": null,
"restored_message_id": null,
"saas_phishing_verdict": null,
"saas_spam_verdict": "1",
"sender_client_ip": "1.2.3.4",
"sender_server_ip": "2001:db8::2fe5",
"sent_datetime": "2026-01-13T17:00:12Z",
"size": 19472,
"smart_banner_category": null,
"source": "mta",
"spf_result": null,
"subject": "Credit card number",
"to": [
"jane.doe@test.com"
],
"to_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"workflow": null
},
"entity_security_result": {
"ap": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 71.57221,
"status_description": null,
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ap",
"payload": {
"reasons_by_category_list": [],
"reasons_by_category": {},
"reasons": []
},
"verdict": "clean",
"security_result_entity_type": "avanan_ap_scan",
"entity_id": "22222222222222222222222222222222"
}
],
"combined_dlp_hit_count": 1,
"combined_verdict": {
"dlp": "leak",
"ms_defender": "clean",
"ap": "clean"
},
"dlp": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "DLP rule match: PCI",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "dlp",
"payload": {
"matches_dlp_rules": [
"PCI"
],
"found_text": [
"****************111"
],
"scan_details": [
"Credit card number (likely): ****************111"
],
"hit_count": 1
},
"verdict": "leak",
"security_result_entity_type": "avanan_dlp",
"entity_id": "22222222222222222222222222222222"
}
],
"findings_summary": [
{
"sectool_name": "avanan_dlp",
"sectool_type": "dlp",
"verdict": "leak"
}
],
"is_clean": false,
"ms_defender": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ms_defender",
"payload": {
"bcl": "0",
"policy_action": "delivered",
"detection_reason": "non_spam",
"scl": "1",
"policy_applied": "none"
},
"verdict": "clean",
"security_result_entity_type": "ms_defender_scan",
"entity_id": "22222222222222222222222222222222"
}
]
},
"saas_info": {
"saas_actor_id": "john.doe@mycorp.com",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_actor_type": "office365_emails_user",
"saas_entity_created": "2026-01-13T17:00:12Z",
"saas_entity_type": "email",
"saas_id": "office365_emails"
},
"time": "2026-01-13T17:00:34.076069Z"
}
}
}
{
"event": {
"security_event": {
"entity_info": {
"customer_cluster": [
"8"
],
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "checkpoint",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:22.780083+00:00",
"entity_expiration": 1784739622,
"entity_id": "00000000000000000000000000000000",
"entity_reporter": "emails-9097588-8",
"entity_sub_type": "dlp",
"entity_type": "security_event",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "11111111111111111111111111111111",
"category": "malicious_url",
"confidence_indicator": "detected",
"confidence_level": 5,
"current_state": "detected",
"description": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected #{\"label\": \"PCI\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"}'s mailbox)",
"description_short": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected a leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"})",
"description_text": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"description_tooltips": [
"Member",
"John Doe",
"Credit card number",
"john.doe@mycorp.com",
"2026-01-13T17:00:12",
"Detected"
],
"event_metadata": {
"sender_address": "john.doe@mycorp.com",
"is_internal": null,
"spam_verdict": null,
"is_outgoing": null,
"dlp_detections": [
"Credit card number"
]
},
"event_trigger": {
"type": "Policy",
"id": 17682366990433
},
"matched_security_tool": "avanan_dlp",
"metadata_json": {
"impersonation_description": "Other",
"impersonate_nickname_new": null
},
"multi": false,
"policy_rule_id": 17682366990433,
"saas": "office365_emails",
"severity": 3
},
"entity_security_result": {},
"saas_info": {
"account_id": [
"00000000-0000-0000-0000-000000000000"
],
"entity_id": "22222222222222222222222222222222",
"entity_type": "office365_emails_email",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_creation_time": null,
"saas_spam_verdict": null
},
"security_event_action": [
{
"actor": "checkpoint",
"sec_event_id": "00000000000000000000000000000000",
"error": "",
"create_time": "2026-01-13T17:00:24.438085Z",
"action_type": "send_email_to"
}
],
"time": "2026-01-13T17:00:24.508990Z",
"_id": "11111111111111111111111111111111111111111111111111111111111"
},
"entity": {
"entity_info": {
"customer_cluster": "8",
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "Check Point",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:17.465214Z",
"entity_expiration": 1783962017,
"entity_id": "22222222222222222222222222222222",
"entity_reporter": "emails-9097588-8",
"entity_type": "office365_emails_email",
"entity_updated": "2026-01-13T17:00:17.465218Z",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "33333333333333333333333333333333",
"attachment_count": 0,
"attachments": [],
"bcc": [],
"bcc_user": [],
"body_content_type": "HTML",
"cc": [],
"cc_user": [],
"containers_ids": null,
"containers_names": null,
"dkim_result": "none",
"dmarc_result": "none",
"email_split": "original",
"encryption_status": null,
"envelope_from": null,
"first_folder_name": null,
"folder_history": [],
"forwarder_email": null,
"from_domain": "mycorp.com",
"from_email": "john.doe@mycorp.com",
"from_id": "00000000-0000-0000-0000-000000000000",
"from_name": "John Doe",
"geo_city": "Rennes",
"geo_country": "France",
"geo_region": "Ille-et-Vilaine",
"has_calendar_event": false,
"has_encrypted_attachments": false,
"has_internal_recipient": false,
"insert_time_sqs": "2026-01-13T17:00:17.147000Z",
"internet_message_id": "<O000000000000000000000000000000000@example.com>",
"is_attachment_changed": false,
"is_attachment_restored": false,
"is_body_changed": false,
"is_deleted": false,
"is_encrypted_attachments_removed": null,
"is_first_in_junk": null,
"is_group_user": null,
"is_in_junk": null,
"is_in_s3_quarantine": false,
"is_incoming": false,
"is_inline_handled": false,
"is_internal": false,
"is_links_replaced": false,
"is_outgoing": true,
"is_quarantine_notification": false,
"is_quarantine_user_notification": false,
"is_quarantined": false,
"is_read": null,
"is_restore_declined": false,
"is_restore_requested": false,
"is_restored": false,
"is_sent_from_internal": true,
"is_signed": false,
"is_spam_header_added": false,
"is_splittable": true,
"is_subject_changed": false,
"is_wd_rescan": false,
"manager_address": null,
"matched_workflows": null,
"mode": "monitor",
"ms_quarantine_status": null,
"ms_quarantine_verdict_type": null,
"network_message_id": "66666666-6666-6666-6666-666666666666",
"orig_message_id": null,
"orig_recipient": "john.doe@mycorp.com",
"orig_subject": null,
"password_protected_require_password_time": null,
"password_protected_restore_time": null,
"password_protected_status": null,
"password_protected_uuid": null,
"quarantine_actor": null,
"quarantine_time": null,
"quarantine_uuid": null,
"recipients": [
"jane.doe@test.com"
],
"recipients_hash": "dc44eaf82ea2617fa505c3186253638b",
"recipients_journal": [
"jane.doe@test.com"
],
"recipients_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"reply_to_email": null,
"reply_to_nickname": null,
"report_phishing_blacklist_time": null,
"report_phishing_decline_actor": null,
"report_phishing_decline_reason": null,
"report_phishing_decline_time": null,
"report_phishing_detection_time": null,
"report_phishing_email_hash_md5": null,
"report_phishing_original": null,
"report_phishing_service_name": null,
"report_phishing_service_type": null,
"report_phishing_source": null,
"request_password_at": null,
"restore_actor": null,
"restore_commentary": null,
"restore_decline_actor": null,
"restore_decline_reason": null,
"restore_decline_time": null,
"restore_request_actor_type": null,
"restore_request_source": null,
"restore_request_time": null,
"restore_time": null,
"restored_message_id": null,
"saas_phishing_verdict": null,
"saas_spam_verdict": "1",
"sender_client_ip": "1.2.3.4",
"sender_server_ip": "2001:db8::2fe5",
"sent_datetime": "2026-01-13T17:00:12Z",
"size": 19472,
"smart_banner_category": null,
"source": "mta",
"spf_result": null,
"subject": "Credit card number",
"to": [
"jane.doe@test.com"
],
"to_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"workflow": null
},
"entity_security_result": {
"ap": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 71.57221,
"status_description": null,
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ap",
"payload": {
"reasons_by_category_list": [],
"reasons_by_category": {},
"reasons": []
},
"verdict": "clean",
"security_result_entity_type": "avanan_ap_scan",
"entity_id": "22222222222222222222222222222222"
}
],
"combined_dlp_hit_count": 1,
"combined_verdict": {
"dlp": "leak",
"ms_defender": "clean",
"ap": "clean"
},
"dlp": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "DLP rule match: PCI",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "dlp",
"payload": {
"matches_dlp_rules": [
"PCI"
],
"found_text": [
"****************111"
],
"scan_details": [
"Credit card number (likely): ****************111"
],
"hit_count": 1
},
"verdict": "leak",
"security_result_entity_type": "avanan_dlp",
"entity_id": "22222222222222222222222222222222"
}
],
"findings_summary": [
{
"sectool_name": "avanan_dlp",
"sectool_type": "dlp",
"verdict": "leak"
}
],
"is_clean": false,
"ms_defender": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ms_defender",
"payload": {
"bcl": "0",
"policy_action": "delivered",
"detection_reason": "non_spam",
"scl": "1",
"policy_applied": "none"
},
"verdict": "clean",
"security_result_entity_type": "ms_defender_scan",
"entity_id": "22222222222222222222222222222222"
}
]
},
"saas_info": {
"saas_actor_id": "john.doe@mycorp.com",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_actor_type": "office365_emails_user",
"saas_entity_created": "2026-01-13T17:00:12Z",
"saas_entity_type": "email",
"saas_id": "office365_emails"
},
"time": "2026-01-13T17:00:34.076069Z"
}
}
}
{
"event": {
"security_event": {
"entity_info": {
"customer_cluster": [
"8"
],
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "checkpoint",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:22.780083+00:00",
"entity_expiration": 1784739622,
"entity_id": "00000000000000000000000000000000",
"entity_reporter": "emails-9097588-8",
"entity_sub_type": "dlp",
"entity_type": "security_event",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "11111111111111111111111111111111",
"category": "malware",
"confidence_indicator": "detected",
"confidence_level": 5,
"current_state": "detected",
"description": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected #{\"label\": \"PCI\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"}'s mailbox)",
"description_short": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected a leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"})",
"description_text": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"description_tooltips": [
"Member",
"John Doe",
"Credit card number",
"john.doe@mycorp.com",
"2026-01-13T17:00:12",
"Detected"
],
"event_metadata": {
"sender_address": "john.doe@mycorp.com",
"is_internal": null,
"spam_verdict": null,
"is_outgoing": null,
"dlp_detections": [
"Credit card number"
]
},
"event_trigger": {
"type": "Policy",
"id": 17682366990433
},
"matched_security_tool": "avanan_dlp",
"metadata_json": {
"impersonation_description": "Other",
"impersonate_nickname_new": null
},
"multi": false,
"policy_rule_id": 17682366990433,
"saas": "office365_emails",
"severity": 3
},
"entity_security_result": {},
"saas_info": {
"account_id": [
"00000000-0000-0000-0000-000000000000"
],
"entity_id": "22222222222222222222222222222222",
"entity_type": "office365_emails_email",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_creation_time": null,
"saas_spam_verdict": null
},
"security_event_action": [
{
"actor": "checkpoint",
"sec_event_id": "00000000000000000000000000000000",
"error": "",
"create_time": "2026-01-13T17:00:24.438085Z",
"action_type": "send_email_to"
}
],
"time": "2026-01-13T17:00:24.508990Z",
"_id": "11111111111111111111111111111111111111111111111111111111111"
},
"entity": {
"entity_info": {
"customer_cluster": "8",
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "Check Point",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:17.465214Z",
"entity_expiration": 1783962017,
"entity_id": "22222222222222222222222222222222",
"entity_reporter": "emails-9097588-8",
"entity_type": "office365_emails_email",
"entity_updated": "2026-01-13T17:00:17.465218Z",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "33333333333333333333333333333333",
"attachment_count": 0,
"attachments": [],
"bcc": [],
"bcc_user": [],
"body_content_type": "HTML",
"cc": [],
"cc_user": [],
"containers_ids": null,
"containers_names": null,
"dkim_result": "none",
"dmarc_result": "none",
"email_split": "original",
"encryption_status": null,
"envelope_from": null,
"first_folder_name": null,
"folder_history": [],
"forwarder_email": null,
"from_domain": "mycorp.com",
"from_email": "john.doe@mycorp.com",
"from_id": "00000000-0000-0000-0000-000000000000",
"from_name": "John Doe",
"geo_city": "Rennes",
"geo_country": "France",
"geo_region": "Ille-et-Vilaine",
"has_calendar_event": false,
"has_encrypted_attachments": false,
"has_internal_recipient": false,
"insert_time_sqs": "2026-01-13T17:00:17.147000Z",
"internet_message_id": "<O000000000000000000000000000000000@example.com>",
"is_attachment_changed": false,
"is_attachment_restored": false,
"is_body_changed": false,
"is_deleted": false,
"is_encrypted_attachments_removed": null,
"is_first_in_junk": null,
"is_group_user": null,
"is_in_junk": null,
"is_in_s3_quarantine": false,
"is_incoming": false,
"is_inline_handled": false,
"is_internal": false,
"is_links_replaced": false,
"is_outgoing": true,
"is_quarantine_notification": false,
"is_quarantine_user_notification": false,
"is_quarantined": false,
"is_read": null,
"is_restore_declined": false,
"is_restore_requested": false,
"is_restored": false,
"is_sent_from_internal": true,
"is_signed": false,
"is_spam_header_added": false,
"is_splittable": true,
"is_subject_changed": false,
"is_wd_rescan": false,
"manager_address": null,
"matched_workflows": null,
"mode": "monitor",
"ms_quarantine_status": null,
"ms_quarantine_verdict_type": null,
"network_message_id": "66666666-6666-6666-6666-666666666666",
"orig_message_id": null,
"orig_recipient": "john.doe@mycorp.com",
"orig_subject": null,
"password_protected_require_password_time": null,
"password_protected_restore_time": null,
"password_protected_status": null,
"password_protected_uuid": null,
"quarantine_actor": null,
"quarantine_time": null,
"quarantine_uuid": null,
"recipients": [
"jane.doe@test.com"
],
"recipients_hash": "dc44eaf82ea2617fa505c3186253638b",
"recipients_journal": [
"jane.doe@test.com"
],
"recipients_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"reply_to_email": null,
"reply_to_nickname": null,
"report_phishing_blacklist_time": null,
"report_phishing_decline_actor": null,
"report_phishing_decline_reason": null,
"report_phishing_decline_time": null,
"report_phishing_detection_time": null,
"report_phishing_email_hash_md5": null,
"report_phishing_original": null,
"report_phishing_service_name": null,
"report_phishing_service_type": null,
"report_phishing_source": null,
"request_password_at": null,
"restore_actor": null,
"restore_commentary": null,
"restore_decline_actor": null,
"restore_decline_reason": null,
"restore_decline_time": null,
"restore_request_actor_type": null,
"restore_request_source": null,
"restore_request_time": null,
"restore_time": null,
"restored_message_id": null,
"saas_phishing_verdict": null,
"saas_spam_verdict": "1",
"sender_client_ip": "1.2.3.4",
"sender_server_ip": "2001:db8::2fe5",
"sent_datetime": "2026-01-13T17:00:12Z",
"size": 19472,
"smart_banner_category": null,
"source": "mta",
"spf_result": null,
"subject": "Credit card number",
"to": [
"jane.doe@test.com"
],
"to_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"workflow": null
},
"entity_security_result": {
"ap": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 71.57221,
"status_description": null,
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ap",
"payload": {
"reasons_by_category_list": [],
"reasons_by_category": {},
"reasons": []
},
"verdict": "clean",
"security_result_entity_type": "avanan_ap_scan",
"entity_id": "22222222222222222222222222222222"
}
],
"combined_dlp_hit_count": 1,
"combined_verdict": {
"dlp": "leak",
"ms_defender": "clean",
"ap": "clean"
},
"dlp": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "DLP rule match: PCI",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "dlp",
"payload": {
"matches_dlp_rules": [
"PCI"
],
"found_text": [
"****************111"
],
"scan_details": [
"Credit card number (likely): ****************111"
],
"hit_count": 1
},
"verdict": "leak",
"security_result_entity_type": "avanan_dlp",
"entity_id": "22222222222222222222222222222222"
}
],
"findings_summary": [
{
"sectool_name": "avanan_dlp",
"sectool_type": "dlp",
"verdict": "leak"
}
],
"is_clean": false,
"ms_defender": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ms_defender",
"payload": {
"bcl": "0",
"policy_action": "delivered",
"detection_reason": "non_spam",
"scl": "1",
"policy_applied": "none"
},
"verdict": "clean",
"security_result_entity_type": "ms_defender_scan",
"entity_id": "22222222222222222222222222222222"
}
]
},
"saas_info": {
"saas_actor_id": "john.doe@mycorp.com",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_actor_type": "office365_emails_user",
"saas_entity_created": "2026-01-13T17:00:12Z",
"saas_entity_type": "email",
"saas_id": "office365_emails"
},
"time": "2026-01-13T17:00:34.076069Z"
}
}
}
{
"event": {
"security_event": {
"entity_info": {
"customer_cluster": [
"8"
],
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "checkpoint",
"customer_region": "eu-west-1",
"entity_created": "2026-01-15T15:49:13.034571+00:00",
"entity_expiration": 1784908153,
"entity_id": "11111111111111111111111111111111",
"entity_reporter": "emails-2167574-8",
"entity_sub_type": "phishing",
"entity_type": "security_event",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "22222222222222222222222222222222",
"category": "phishing",
"confidence_indicator": "malicious",
"confidence_level": 5,
"current_state": "remediated",
"description": "Microsoft has detected #{\"label\": \"phishing\", \"entity_id\": \"33333333333333333333333333333333\", \"entity_type\": \"ms_defender_scan\"} in an email from #{\"label\": \"jane.doe@test.com\", \"entity_id\": \"ext:jane.doe@test.com\", \"entity_type\": \"office365_emails_user\", \"disable_link\": true} - '#{\"label\": \"Phishing detection test\", \"entity_id\": \"33333333333333333333333333333333\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"}'s mailbox)",
"description_short": "Microsoft has detected #{\"label\": \"phishing\", \"entity_id\": \"33333333333333333333333333333333\", \"entity_type\": \"ms_defender_scan\"} in '#{\"label\": \"Phishing detection test\", \"entity_id\": \"33333333333333333333333333333333\", \"entity_type\": \"office365_emails_email\"}'(#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"})",
"description_text": "Microsoft has detected phishing in an email from jane.doe@test.com - 'Phishing detection test' (john.doe@mycorp.com's mailbox)",
"description_tooltips": [
"john.doe@mycorp.com",
"HostedContentFilterPolicy",
"Phishing detection test",
"Member",
"9",
"2026-01-15T15:32:58",
"hphish",
"0",
"Jane Doe",
"John Doe",
"jane.doe@test.com",
"High Confidence Phishing",
"Quarantine"
],
"event_metadata": {
"sender_address": "jane.doe@test.com",
"is_internal": null,
"spam_verdict": null,
"is_outgoing": null
},
"event_trigger": {
"type": "Policy",
"id": 17682263080220852
},
"latest_change_time": 1768492164.3583243,
"matched_security_tool": "ms_defender_scan",
"metadata_json": {
"impersonation_description": "Other",
"impersonate_nickname_new": null
},
"multi": false,
"policy_rule_id": 17682263080220852,
"remediation_actor": "microsoft",
"saas": "office365_emails",
"severity": 3
},
"entity_security_result": {},
"saas_info": {
"account_id": [
"00000000-0000-0000-0000-000000000000"
],
"entity_id": "33333333333333333333333333333333",
"entity_type": "office365_emails_email",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_creation_time": null,
"saas_spam_verdict": null
},
"security_event_action": [
{
"actor": "microsoft",
"sec_event_id": "11111111111111111111111111111111",
"error": null,
"create_time": "2026-01-15T15:49:24.303412Z",
"action_type": "quarantine_email"
}
],
"time": "2026-01-15T15:49:24.509565Z",
"_id": "11111111111111111111111111111111111111111111111111111111111"
},
"entity": {
"entity_info": {
"customer_cluster": "8",
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "Check Point",
"customer_region": "eu-west-1",
"entity_created": "2026-01-15T15:49:08.265530Z",
"entity_expiration": 1784130548,
"entity_id": "33333333333333333333333333333333",
"entity_reporter": "emails-2167574-8",
"entity_type": "office365_emails_email",
"entity_updated": "2026-01-15T15:49:08.265532Z",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "d0784be61a1866240c5401818861e47e",
"attachment_count": 0,
"attachments": [],
"bcc": [],
"bcc_user": [],
"body_content_type": "HTML",
"cc": [],
"cc_user": [],
"container_ids": null,
"containers_ids": null,
"containers_names": null,
"dkim_result": "pass",
"dmarc_result": "pass",
"email_split": "original",
"encryption_status": null,
"envelope_from": null,
"first_folder_name": null,
"folder_history": [],
"forwarder_email": null,
"from_domain": "mycorp.com",
"from_email": "jane.doe@test.com",
"from_id": "ext:jane.doe@test.com",
"from_name": "Jane Doe",
"has_calendar_event": false,
"has_encrypted_attachments": false,
"has_internal_recipient": true,
"insert_time_sqs": "2026-01-15T15:44:08.033000Z",
"internet_message_id": "<00000000000000000000000000000000000000000000000000@mail.example.com>",
"is_attachment_changed": false,
"is_attachment_restored": false,
"is_body_changed": false,
"is_deleted": true,
"is_encrypted_attachments_removed": null,
"is_first_in_junk": null,
"is_group_user": null,
"is_in_junk": null,
"is_in_s3_quarantine": true,
"is_incoming": true,
"is_inline_handled": false,
"is_internal": false,
"is_links_replaced": false,
"is_outgoing": false,
"is_quarantine_notification": false,
"is_quarantine_user_notification": false,
"is_quarantined": true,
"is_read": null,
"is_restore_declined": false,
"is_restore_requested": false,
"is_restored": false,
"is_sent_from_internal": false,
"is_signed": false,
"is_spam_header_added": false,
"is_splittable": false,
"is_subject_changed": false,
"is_wd_rescan": false,
"manager_address": null,
"matched_workflows": null,
"mode": "monitor",
"ms_quarantine_status": "quarantined",
"ms_quarantine_verdict_type": "high_conf_phish",
"network_message_id": "66666666-6666-6666-6666-666666666666",
"orig_message_id": null,
"orig_recipient": "john.doe@mycorp.com",
"orig_subject": null,
"password_protected_require_password_time": null,
"password_protected_restore_time": null,
"password_protected_status": null,
"password_protected_uuid": null,
"quarantine_actor": "Microsoft",
"quarantine_time": "2026-01-15T15:49:21.822454Z",
"quarantine_uuid": "55555555555555555555555555555555",
"recipients": [
"john.doe@mycorp.com"
],
"recipients_hash": "5c9a6d0fb68a2521418f82400c97eb25",
"recipients_user": [
{
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
}
],
"reply_to_email": null,
"reply_to_nickname": null,
"report_phishing_blacklist_time": null,
"report_phishing_decline_actor": null,
"report_phishing_decline_reason": null,
"report_phishing_decline_time": null,
"report_phishing_detection_time": null,
"report_phishing_email_hash_md5": null,
"report_phishing_original": null,
"report_phishing_service_name": null,
"report_phishing_service_type": null,
"report_phishing_source": null,
"request_password_at": null,
"restore_actor": null,
"restore_commentary": null,
"restore_decline_actor": null,
"restore_decline_reason": null,
"restore_decline_time": null,
"restore_request_actor_type": null,
"restore_request_source": null,
"restore_request_time": null,
"restore_time": null,
"restored_message_id": null,
"saas_phishing_verdict": null,
"saas_spam_verdict": "9",
"sender_client_ip": "0.0.0.0",
"sender_server_ip": "2001:db8::2fe5",
"sent_datetime": "2026-01-15T15:32:46Z",
"size": 11383,
"smart_banner_category": null,
"source": "mta",
"spf_result": "pass",
"subject": "Phishing detection test",
"to": [
"john.doe@mycorp.com"
],
"to_user": [
{
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
}
],
"workflow": "",
"email_links": [
"https://malicious.foo.com/account_WfWvvb_claim_gift_card"
],
"email_links_domains": [
"malicious.foo.com"
]
},
"entity_security_result": {
"ap": [
{
"security_result_entity_id": "33333333333333333333333333333333",
"score": null,
"status_description": "Cleaned SCL due to ignore_scl_for_clean",
"entity_type": "office365_emails_email",
"status_code": "match_spam_whitelist",
"sec_type": "ap",
"payload": {
"reasons_by_category": {},
"reasons": [
"Marked as clean based on Check Point's assessment, overriding Microsoft's spam classification",
"Marked as clean based on Check Point's assessment, overriding Microsoft's spam classification",
"Link to newly registered domain",
"Non ASCII info in headers",
"Insignificant historical reputation with sender domain",
"Insignificant historical reputation with sender",
"Low-traffic 'From'-domain",
"Link to a low-traffic site",
"Suspicious-looking email text",
"Email is marked as spam by O365"
],
"probability_level": "2",
"reasons_by_category_list": []
},
"verdict": "clean",
"security_result_entity_type": "avanan_ap_scan",
"entity_id": "33333333333333333333333333333333"
}
],
"combined_verdict": {
"shadow_it": "clean",
"ap": "clean",
"ms_defender": "hphsh"
},
"findings_summary": [
{
"sectool_name": "ms_defender_scan",
"sectool_type": "ms_defender",
"verdict": "hphsh"
}
],
"is_clean": false,
"ms_defender": [
{
"security_result_entity_id": "33333333333333333333333333333333",
"score": 0,
"status_description": "",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ms_defender",
"payload": {
"bcl": "0",
"policy_action": "quarantine",
"detection_reason": "HostedContentFilterPolicy",
"scl": "9",
"policy_applied": "hphish"
},
"verdict": "hphsh",
"security_result_entity_type": "ms_defender_scan",
"entity_id": "33333333333333333333333333333333"
}
],
"shadow_it": [
{
"security_result_entity_id": "33333333333333333333333333333333",
"score": 0,
"status_description": "Clean",
"entity_type": "office365_emails_email",
"status_code": "clean",
"sec_type": "shadow_it",
"payload": {
"from": "jane.doe@test.com",
"subject": "Phishing detection test",
"domain": ""
},
"verdict": "clean",
"security_result_entity_type": "shadow_it_emails_scan",
"entity_id": "33333333333333333333333333333333"
}
]
},
"saas_info": {
"saas_actor_id": "john.doe@mycorp.com",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_actor_type": "office365_emails_user",
"saas_entity_created": "2026-01-15T15:32:58Z",
"saas_entity_id": null,
"saas_entity_type": "email",
"saas_id": "office365_emails"
},
"time": "2026-01-15T15:49:22.551191Z"
}
}
}
{
"event": {
"security_event": {
"entity_info": {
"customer_cluster": [
"8"
],
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "checkpoint",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:22.780083+00:00",
"entity_expiration": 1784739622,
"entity_id": "00000000000000000000000000000000",
"entity_reporter": "emails-9097588-8",
"entity_sub_type": "dlp",
"entity_type": "security_event",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "11111111111111111111111111111111",
"category": "shadow_it",
"confidence_indicator": "detected",
"confidence_level": 5,
"current_state": "detected",
"description": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected #{\"label\": \"PCI\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"}'s mailbox)",
"description_short": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected a leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"})",
"description_text": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"description_tooltips": [
"Member",
"John Doe",
"Credit card number",
"john.doe@mycorp.com",
"2026-01-13T17:00:12",
"Detected"
],
"event_metadata": {
"sender_address": "john.doe@mycorp.com",
"is_internal": null,
"spam_verdict": null,
"is_outgoing": null,
"dlp_detections": [
"Credit card number"
]
},
"event_trigger": {
"type": "Policy",
"id": 17682366990433
},
"matched_security_tool": "avanan_dlp",
"metadata_json": {
"impersonation_description": "Other",
"impersonate_nickname_new": null
},
"multi": false,
"policy_rule_id": 17682366990433,
"saas": "office365_emails",
"severity": 3
},
"entity_security_result": {},
"saas_info": {
"account_id": [
"00000000-0000-0000-0000-000000000000"
],
"entity_id": "22222222222222222222222222222222",
"entity_type": "office365_emails_email",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_creation_time": null,
"saas_spam_verdict": null
},
"security_event_action": [
{
"actor": "checkpoint",
"sec_event_id": "00000000000000000000000000000000",
"error": "",
"create_time": "2026-01-13T17:00:24.438085Z",
"action_type": "send_email_to"
}
],
"time": "2026-01-13T17:00:24.508990Z",
"_id": "11111111111111111111111111111111111111111111111111111111111"
},
"entity": {
"entity_info": {
"customer_cluster": "8",
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "Check Point",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:17.465214Z",
"entity_expiration": 1783962017,
"entity_id": "22222222222222222222222222222222",
"entity_reporter": "emails-9097588-8",
"entity_type": "office365_emails_email",
"entity_updated": "2026-01-13T17:00:17.465218Z",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "33333333333333333333333333333333",
"attachment_count": 0,
"attachments": [],
"bcc": [],
"bcc_user": [],
"body_content_type": "HTML",
"cc": [],
"cc_user": [],
"containers_ids": null,
"containers_names": null,
"dkim_result": "none",
"dmarc_result": "none",
"email_split": "original",
"encryption_status": null,
"envelope_from": null,
"first_folder_name": null,
"folder_history": [],
"forwarder_email": null,
"from_domain": "mycorp.com",
"from_email": "john.doe@mycorp.com",
"from_id": "00000000-0000-0000-0000-000000000000",
"from_name": "John Doe",
"geo_city": "Rennes",
"geo_country": "France",
"geo_region": "Ille-et-Vilaine",
"has_calendar_event": false,
"has_encrypted_attachments": false,
"has_internal_recipient": false,
"insert_time_sqs": "2026-01-13T17:00:17.147000Z",
"internet_message_id": "<O000000000000000000000000000000000@example.com>",
"is_attachment_changed": false,
"is_attachment_restored": false,
"is_body_changed": false,
"is_deleted": false,
"is_encrypted_attachments_removed": null,
"is_first_in_junk": null,
"is_group_user": null,
"is_in_junk": null,
"is_in_s3_quarantine": false,
"is_incoming": false,
"is_inline_handled": false,
"is_internal": false,
"is_links_replaced": false,
"is_outgoing": true,
"is_quarantine_notification": false,
"is_quarantine_user_notification": false,
"is_quarantined": false,
"is_read": null,
"is_restore_declined": false,
"is_restore_requested": false,
"is_restored": false,
"is_sent_from_internal": true,
"is_signed": false,
"is_spam_header_added": false,
"is_splittable": true,
"is_subject_changed": false,
"is_wd_rescan": false,
"manager_address": null,
"matched_workflows": null,
"mode": "monitor",
"ms_quarantine_status": null,
"ms_quarantine_verdict_type": null,
"network_message_id": "66666666-6666-6666-6666-666666666666",
"orig_message_id": null,
"orig_recipient": "john.doe@mycorp.com",
"orig_subject": null,
"password_protected_require_password_time": null,
"password_protected_restore_time": null,
"password_protected_status": null,
"password_protected_uuid": null,
"quarantine_actor": null,
"quarantine_time": null,
"quarantine_uuid": null,
"recipients": [
"jane.doe@test.com"
],
"recipients_hash": "dc44eaf82ea2617fa505c3186253638b",
"recipients_journal": [
"jane.doe@test.com"
],
"recipients_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"reply_to_email": null,
"reply_to_nickname": null,
"report_phishing_blacklist_time": null,
"report_phishing_decline_actor": null,
"report_phishing_decline_reason": null,
"report_phishing_decline_time": null,
"report_phishing_detection_time": null,
"report_phishing_email_hash_md5": null,
"report_phishing_original": null,
"report_phishing_service_name": null,
"report_phishing_service_type": null,
"report_phishing_source": null,
"request_password_at": null,
"restore_actor": null,
"restore_commentary": null,
"restore_decline_actor": null,
"restore_decline_reason": null,
"restore_decline_time": null,
"restore_request_actor_type": null,
"restore_request_source": null,
"restore_request_time": null,
"restore_time": null,
"restored_message_id": null,
"saas_phishing_verdict": null,
"saas_spam_verdict": "1",
"sender_client_ip": "1.2.3.4",
"sender_server_ip": "2001:db8::2fe5",
"sent_datetime": "2026-01-13T17:00:12Z",
"size": 19472,
"smart_banner_category": null,
"source": "mta",
"spf_result": null,
"subject": "Credit card number",
"to": [
"jane.doe@test.com"
],
"to_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"workflow": null
},
"entity_security_result": {
"ap": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 71.57221,
"status_description": null,
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ap",
"payload": {
"reasons_by_category_list": [],
"reasons_by_category": {},
"reasons": []
},
"verdict": "clean",
"security_result_entity_type": "avanan_ap_scan",
"entity_id": "22222222222222222222222222222222"
}
],
"combined_dlp_hit_count": 1,
"combined_verdict": {
"dlp": "leak",
"ms_defender": "clean",
"ap": "clean"
},
"dlp": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "DLP rule match: PCI",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "dlp",
"payload": {
"matches_dlp_rules": [
"PCI"
],
"found_text": [
"****************111"
],
"scan_details": [
"Credit card number (likely): ****************111"
],
"hit_count": 1
},
"verdict": "leak",
"security_result_entity_type": "avanan_dlp",
"entity_id": "22222222222222222222222222222222"
}
],
"findings_summary": [
{
"sectool_name": "avanan_dlp",
"sectool_type": "dlp",
"verdict": "leak"
}
],
"is_clean": false,
"ms_defender": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ms_defender",
"payload": {
"bcl": "0",
"policy_action": "delivered",
"detection_reason": "non_spam",
"scl": "1",
"policy_applied": "none"
},
"verdict": "clean",
"security_result_entity_type": "ms_defender_scan",
"entity_id": "22222222222222222222222222222222"
}
]
},
"saas_info": {
"saas_actor_id": "john.doe@mycorp.com",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_actor_type": "office365_emails_user",
"saas_entity_created": "2026-01-13T17:00:12Z",
"saas_entity_type": "email",
"saas_id": "office365_emails"
},
"time": "2026-01-13T17:00:34.076069Z"
}
}
}
{
"event": {
"security_event": {
"entity_info": {
"customer_cluster": [
"8"
],
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "checkpoint",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:22.780083+00:00",
"entity_expiration": 1784739622,
"entity_id": "00000000000000000000000000000000",
"entity_reporter": "emails-9097588-8",
"entity_sub_type": "dlp",
"entity_type": "security_event",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "11111111111111111111111111111111",
"category": "suspicious malware",
"confidence_indicator": "detected",
"confidence_level": 5,
"current_state": "detected",
"description": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected #{\"label\": \"PCI\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"}'s mailbox)",
"description_short": "#{\"label\": \"SmartDLP\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"avanan_dlp\", \"disable_link\": true} has detected a leak in '#{\"label\": \"Credit card number\", \"entity_id\": \"22222222222222222222222222222222\", \"entity_type\": \"office365_emails_email\"}' (#{\"label\": \"john.doe@mycorp.com\", \"entity_id\": \"00000000-0000-0000-0000-000000000000\", \"entity_type\": \"office365_emails_user\"})",
"description_text": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"description_tooltips": [
"Member",
"John Doe",
"Credit card number",
"john.doe@mycorp.com",
"2026-01-13T17:00:12",
"Detected"
],
"event_metadata": {
"sender_address": "john.doe@mycorp.com",
"is_internal": null,
"spam_verdict": null,
"is_outgoing": null,
"dlp_detections": [
"Credit card number"
]
},
"event_trigger": {
"type": "Policy",
"id": 17682366990433
},
"matched_security_tool": "avanan_dlp",
"metadata_json": {
"impersonation_description": "Other",
"impersonate_nickname_new": null
},
"multi": false,
"policy_rule_id": 17682366990433,
"saas": "office365_emails",
"severity": 3
},
"entity_security_result": {},
"saas_info": {
"account_id": [
"00000000-0000-0000-0000-000000000000"
],
"entity_id": "22222222222222222222222222222222",
"entity_type": "office365_emails_email",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_creation_time": null,
"saas_spam_verdict": null
},
"security_event_action": [
{
"actor": "checkpoint",
"sec_event_id": "00000000000000000000000000000000",
"error": "",
"create_time": "2026-01-13T17:00:24.438085Z",
"action_type": "send_email_to"
}
],
"time": "2026-01-13T17:00:24.508990Z",
"_id": "11111111111111111111111111111111111111111111111111111111111"
},
"entity": {
"entity_info": {
"customer_cluster": "8",
"customer_domain": "test",
"customer_farm": "mt-prod-cp-eu-2",
"customer_oem": "Check Point",
"customer_region": "eu-west-1",
"entity_created": "2026-01-13T17:00:17.465214Z",
"entity_expiration": 1783962017,
"entity_id": "22222222222222222222222222222222",
"entity_reporter": "emails-9097588-8",
"entity_type": "office365_emails_email",
"entity_updated": "2026-01-13T17:00:17.465218Z",
"locale": "en-us"
},
"entity_payload": {
"aggregation_id": "33333333333333333333333333333333",
"attachment_count": 0,
"attachments": [],
"bcc": [],
"bcc_user": [],
"body_content_type": "HTML",
"cc": [],
"cc_user": [],
"containers_ids": null,
"containers_names": null,
"dkim_result": "none",
"dmarc_result": "none",
"email_split": "original",
"encryption_status": null,
"envelope_from": null,
"first_folder_name": null,
"folder_history": [],
"forwarder_email": null,
"from_domain": "mycorp.com",
"from_email": "john.doe@mycorp.com",
"from_id": "00000000-0000-0000-0000-000000000000",
"from_name": "John Doe",
"geo_city": "Rennes",
"geo_country": "France",
"geo_region": "Ille-et-Vilaine",
"has_calendar_event": false,
"has_encrypted_attachments": false,
"has_internal_recipient": false,
"insert_time_sqs": "2026-01-13T17:00:17.147000Z",
"internet_message_id": "<O000000000000000000000000000000000@example.com>",
"is_attachment_changed": false,
"is_attachment_restored": false,
"is_body_changed": false,
"is_deleted": false,
"is_encrypted_attachments_removed": null,
"is_first_in_junk": null,
"is_group_user": null,
"is_in_junk": null,
"is_in_s3_quarantine": false,
"is_incoming": false,
"is_inline_handled": false,
"is_internal": false,
"is_links_replaced": false,
"is_outgoing": true,
"is_quarantine_notification": false,
"is_quarantine_user_notification": false,
"is_quarantined": false,
"is_read": null,
"is_restore_declined": false,
"is_restore_requested": false,
"is_restored": false,
"is_sent_from_internal": true,
"is_signed": false,
"is_spam_header_added": false,
"is_splittable": true,
"is_subject_changed": false,
"is_wd_rescan": false,
"manager_address": null,
"matched_workflows": null,
"mode": "monitor",
"ms_quarantine_status": null,
"ms_quarantine_verdict_type": null,
"network_message_id": "66666666-6666-6666-6666-666666666666",
"orig_message_id": null,
"orig_recipient": "john.doe@mycorp.com",
"orig_subject": null,
"password_protected_require_password_time": null,
"password_protected_restore_time": null,
"password_protected_status": null,
"password_protected_uuid": null,
"quarantine_actor": null,
"quarantine_time": null,
"quarantine_uuid": null,
"recipients": [
"jane.doe@test.com"
],
"recipients_hash": "dc44eaf82ea2617fa505c3186253638b",
"recipients_journal": [
"jane.doe@test.com"
],
"recipients_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"reply_to_email": null,
"reply_to_nickname": null,
"report_phishing_blacklist_time": null,
"report_phishing_decline_actor": null,
"report_phishing_decline_reason": null,
"report_phishing_decline_time": null,
"report_phishing_detection_time": null,
"report_phishing_email_hash_md5": null,
"report_phishing_original": null,
"report_phishing_service_name": null,
"report_phishing_service_type": null,
"report_phishing_source": null,
"request_password_at": null,
"restore_actor": null,
"restore_commentary": null,
"restore_decline_actor": null,
"restore_decline_reason": null,
"restore_decline_time": null,
"restore_request_actor_type": null,
"restore_request_source": null,
"restore_request_time": null,
"restore_time": null,
"restored_message_id": null,
"saas_phishing_verdict": null,
"saas_spam_verdict": "1",
"sender_client_ip": "1.2.3.4",
"sender_server_ip": "2001:db8::2fe5",
"sent_datetime": "2026-01-13T17:00:12Z",
"size": 19472,
"smart_banner_category": null,
"source": "mta",
"spf_result": null,
"subject": "Credit card number",
"to": [
"jane.doe@test.com"
],
"to_user": [
{
"full_name": "jane.doe@test.com",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": true,
"av_license_enabled": false,
"entity_id": "ext:jane.doe@test.com",
"key": "jane.doe@test.com",
"email": "jane.doe@test.com"
}
],
"workflow": null
},
"entity_security_result": {
"ap": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 71.57221,
"status_description": null,
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ap",
"payload": {
"reasons_by_category_list": [],
"reasons_by_category": {},
"reasons": []
},
"verdict": "clean",
"security_result_entity_type": "avanan_ap_scan",
"entity_id": "22222222222222222222222222222222"
}
],
"combined_dlp_hit_count": 1,
"combined_verdict": {
"dlp": "leak",
"ms_defender": "clean",
"ap": "clean"
},
"dlp": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "DLP rule match: PCI",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "dlp",
"payload": {
"matches_dlp_rules": [
"PCI"
],
"found_text": [
"****************111"
],
"scan_details": [
"Credit card number (likely): ****************111"
],
"hit_count": 1
},
"verdict": "leak",
"security_result_entity_type": "avanan_dlp",
"entity_id": "22222222222222222222222222222222"
}
],
"findings_summary": [
{
"sectool_name": "avanan_dlp",
"sectool_type": "dlp",
"verdict": "leak"
}
],
"is_clean": false,
"ms_defender": [
{
"security_result_entity_id": "22222222222222222222222222222222",
"score": 0,
"status_description": "",
"entity_type": "office365_emails_email",
"status_code": "0",
"sec_type": "ms_defender",
"payload": {
"bcl": "0",
"policy_action": "delivered",
"detection_reason": "non_spam",
"scl": "1",
"policy_applied": "none"
},
"verdict": "clean",
"security_result_entity_type": "ms_defender_scan",
"entity_id": "22222222222222222222222222222222"
}
]
},
"saas_info": {
"saas_actor_id": "john.doe@mycorp.com",
"saas_actor_payload": {
"full_name": "John Doe",
"is_deleted": false,
"entity_type": "office365_emails_user",
"is_external": false,
"av_license_enabled": true,
"entity_id": "00000000-0000-0000-0000-000000000000",
"key": "John Doe",
"email": "john.doe@mycorp.com"
},
"saas_actor_type": "office365_emails_user",
"saas_entity_created": "2026-01-13T17:00:12Z",
"saas_entity_type": "email",
"saas_id": "office365_emails"
},
"time": "2026-01-13T17:00:34.076069Z"
}
}
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Application logs |
Application activity and security events from Check Point Harmony Email & Collaboration via HEC. |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | file, host, iam, malware, threat |
| Type | indicator, info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\n \"event\": {\n \"security_event\": {\n \"entity_info\": {\n \"customer_cluster\": [\n \"8\"\n ],\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"checkpoint\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:22.780083+00:00\",\n \"entity_expiration\": 1784739622,\n \"entity_id\": \"00000000000000000000000000000000\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_sub_type\": \"dlp\",\n \"entity_type\": \"security_event\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"11111111111111111111111111111111\",\n \"category\": \"alert\",\n \"confidence_indicator\": \"detected\",\n \"confidence_level\": 5,\n \"current_state\": \"detected\",\n \"description\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected #{\\\"label\\\": \\\"PCI\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"}'s mailbox)\",\n \"description_short\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected a leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"})\",\n \"description_text\": \"SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)\",\n \"description_tooltips\": [\n \"Member\",\n \"John Doe\",\n \"Credit card number\",\n \"john.doe@mycorp.com\",\n \"2026-01-13T17:00:12\",\n \"Detected\"\n ],\n \"event_metadata\": {\n \"sender_address\": \"john.doe@mycorp.com\",\n \"is_internal\": null,\n \"spam_verdict\": null,\n \"is_outgoing\": null,\n \"dlp_detections\": [\n \"Credit card number\"\n ]\n },\n \"event_trigger\": {\n \"type\": \"Policy\",\n \"id\": 17682366990433\n },\n \"matched_security_tool\": \"avanan_dlp\",\n \"metadata_json\": {\n \"impersonation_description\": \"Other\",\n \"impersonate_nickname_new\": null\n },\n \"multi\": false,\n \"policy_rule_id\": 17682366990433,\n \"saas\": \"office365_emails\",\n \"severity\": 3\n },\n \"entity_security_result\": {},\n \"saas_info\": {\n \"account_id\": [\n \"00000000-0000-0000-0000-000000000000\"\n ],\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_type\": \"office365_emails_email\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_creation_time\": null,\n \"saas_spam_verdict\": null\n },\n \"security_event_action\": [\n {\n \"actor\": \"checkpoint\",\n \"sec_event_id\": \"00000000000000000000000000000000\",\n \"error\": \"\",\n \"create_time\": \"2026-01-13T17:00:24.438085Z\",\n \"action_type\": \"send_email_to\"\n }\n ],\n \"time\": \"2026-01-13T17:00:24.508990Z\",\n \"_id\": \"11111111111111111111111111111111111111111111111111111111111\"\n },\n \"entity\": {\n \"entity_info\": {\n \"customer_cluster\": \"8\",\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"Check Point\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:17.465214Z\",\n \"entity_expiration\": 1783962017,\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_type\": \"office365_emails_email\",\n \"entity_updated\": \"2026-01-13T17:00:17.465218Z\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"33333333333333333333333333333333\",\n \"attachment_count\": 0,\n \"attachments\": [],\n \"bcc\": [],\n \"bcc_user\": [],\n \"body_content_type\": \"HTML\",\n \"cc\": [],\n \"cc_user\": [],\n \"containers_ids\": null,\n \"containers_names\": null,\n \"dkim_result\": \"none\",\n \"dmarc_result\": \"none\",\n \"email_split\": \"original\",\n \"encryption_status\": null,\n \"envelope_from\": null,\n \"first_folder_name\": null,\n \"folder_history\": [],\n \"forwarder_email\": null,\n \"from_domain\": \"mycorp.com\",\n \"from_email\": \"john.doe@mycorp.com\",\n \"from_id\": \"00000000-0000-0000-0000-000000000000\",\n \"from_name\": \"John Doe\",\n \"geo_city\": \"Rennes\",\n \"geo_country\": \"France\",\n \"geo_region\": \"Ille-et-Vilaine\",\n \"has_calendar_event\": false,\n \"has_encrypted_attachments\": false,\n \"has_internal_recipient\": false,\n \"insert_time_sqs\": \"2026-01-13T17:00:17.147000Z\",\n \"internet_message_id\": \"<O000000000000000000000000000000000@example.com>\",\n \"is_attachment_changed\": false,\n \"is_attachment_restored\": false,\n \"is_body_changed\": false,\n \"is_deleted\": false,\n \"is_encrypted_attachments_removed\": null,\n \"is_first_in_junk\": null,\n \"is_group_user\": null,\n \"is_in_junk\": null,\n \"is_in_s3_quarantine\": false,\n \"is_incoming\": false,\n \"is_inline_handled\": false,\n \"is_internal\": false,\n \"is_links_replaced\": false,\n \"is_outgoing\": true,\n \"is_quarantine_notification\": false,\n \"is_quarantine_user_notification\": false,\n \"is_quarantined\": false,\n \"is_read\": null,\n \"is_restore_declined\": false,\n \"is_restore_requested\": false,\n \"is_restored\": false,\n \"is_sent_from_internal\": true,\n \"is_signed\": false,\n \"is_spam_header_added\": false,\n \"is_splittable\": true,\n \"is_subject_changed\": false,\n \"is_wd_rescan\": false,\n \"manager_address\": null,\n \"matched_workflows\": null,\n \"mode\": \"monitor\",\n \"ms_quarantine_status\": null,\n \"ms_quarantine_verdict_type\": null,\n \"network_message_id\": \"66666666-6666-6666-6666-666666666666\",\n \"orig_message_id\": null,\n \"orig_recipient\": \"john.doe@mycorp.com\",\n \"orig_subject\": null,\n \"password_protected_require_password_time\": null,\n \"password_protected_restore_time\": null,\n \"password_protected_status\": null,\n \"password_protected_uuid\": null,\n \"quarantine_actor\": null,\n \"quarantine_time\": null,\n \"quarantine_uuid\": null,\n \"recipients\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_hash\": \"dc44eaf82ea2617fa505c3186253638b\",\n \"recipients_journal\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"reply_to_email\": null,\n \"reply_to_nickname\": null,\n \"report_phishing_blacklist_time\": null,\n \"report_phishing_decline_actor\": null,\n \"report_phishing_decline_reason\": null,\n \"report_phishing_decline_time\": null,\n \"report_phishing_detection_time\": null,\n \"report_phishing_email_hash_md5\": null,\n \"report_phishing_original\": null,\n \"report_phishing_service_name\": null,\n \"report_phishing_service_type\": null,\n \"report_phishing_source\": null,\n \"request_password_at\": null,\n \"restore_actor\": null,\n \"restore_commentary\": null,\n \"restore_decline_actor\": null,\n \"restore_decline_reason\": null,\n \"restore_decline_time\": null,\n \"restore_request_actor_type\": null,\n \"restore_request_source\": null,\n \"restore_request_time\": null,\n \"restore_time\": null,\n \"restored_message_id\": null,\n \"saas_phishing_verdict\": null,\n \"saas_spam_verdict\": \"1\",\n \"sender_client_ip\": \"1.2.3.4\",\n \"sender_server_ip\": \"2001:db8::2fe5\",\n \"sent_datetime\": \"2026-01-13T17:00:12Z\",\n \"size\": 19472,\n \"smart_banner_category\": null,\n \"source\": \"mta\",\n \"spf_result\": null,\n \"subject\": \"Credit card number\",\n \"to\": [\n \"jane.doe@test.com\"\n ],\n \"to_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"workflow\": null\n },\n \"entity_security_result\": {\n \"ap\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 71.57221,\n \"status_description\": null,\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ap\",\n \"payload\": {\n \"reasons_by_category_list\": [],\n \"reasons_by_category\": {},\n \"reasons\": []\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"avanan_ap_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"combined_dlp_hit_count\": 1,\n \"combined_verdict\": {\n \"dlp\": \"leak\",\n \"ms_defender\": \"clean\",\n \"ap\": \"clean\"\n },\n \"dlp\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"DLP rule match: PCI\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"dlp\",\n \"payload\": {\n \"matches_dlp_rules\": [\n \"PCI\"\n ],\n \"found_text\": [\n \"****************111\"\n ],\n \"scan_details\": [\n \"Credit card number (likely): ****************111\"\n ],\n \"hit_count\": 1\n },\n \"verdict\": \"leak\",\n \"security_result_entity_type\": \"avanan_dlp\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"findings_summary\": [\n {\n \"sectool_name\": \"avanan_dlp\",\n \"sectool_type\": \"dlp\",\n \"verdict\": \"leak\"\n }\n ],\n \"is_clean\": false,\n \"ms_defender\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ms_defender\",\n \"payload\": {\n \"bcl\": \"0\",\n \"policy_action\": \"delivered\",\n \"detection_reason\": \"non_spam\",\n \"scl\": \"1\",\n \"policy_applied\": \"none\"\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"ms_defender_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ]\n },\n \"saas_info\": {\n \"saas_actor_id\": \"john.doe@mycorp.com\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_actor_type\": \"office365_emails_user\",\n \"saas_entity_created\": \"2026-01-13T17:00:12Z\",\n \"saas_entity_type\": \"email\",\n \"saas_id\": \"office365_emails\"\n },\n \"time\": \"2026-01-13T17:00:34.076069Z\"\n }\n }\n}",
"event": {
"action": "send_email_to",
"category": [
"threat"
],
"kind": "alert",
"provider": "avanan_dlp",
"reason": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"severity": 3,
"type": [
"info"
]
},
"@timestamp": "2026-01-13T17:00:24.508990Z",
"checkpoint": {
"harmony_email": {
"confidence": {
"indicator": "detected",
"level": 5
},
"saas_application": "office365_emails",
"scan_details": [
"Credit card number (likely): ****************111"
],
"verdict": {
"ap": "clean",
"dlp": "leak",
"ms_defender": "clean"
}
}
},
"cloud": {
"account": {
"id": "test"
},
"provider": "checkpoint",
"region": "eu-west-1"
},
"email": {
"direction": "outbound",
"from": {
"address": "john.doe@mycorp.com"
},
"local_id": "66666666-6666-6666-6666-666666666666",
"message_id": "<O000000000000000000000000000000000@example.com>",
"subject": "Credit card number",
"to": {
"address": [
"jane.doe@test.com"
]
}
},
"observer": {
"name": "emails-9097588-8",
"product": "Harmony Email and Collaboration",
"vendor": "Checkpoint"
},
"related": {
"hosts": [
"mycorp.com"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"description": "DLP rule match: PCI",
"id": "17682366990433"
},
"source": {
"address": "mycorp.com",
"domain": "mycorp.com",
"ip": "1.2.3.4",
"registered_domain": "mycorp.com",
"top_level_domain": "com",
"user": {
"email": "john.doe@mycorp.com",
"full_name": "John Doe",
"id": "00000000-0000-0000-0000-000000000000"
}
}
}
{
"message": "{\n \"event\": {\n \"security_event\": {\n \"entity_info\": {\n \"customer_cluster\": [\n \"8\"\n ],\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"checkpoint\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:22.780083+00:00\",\n \"entity_expiration\": 1784739622,\n \"entity_id\": \"00000000000000000000000000000000\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_sub_type\": \"dlp\",\n \"entity_type\": \"security_event\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"11111111111111111111111111111111\",\n \"category\": \"anomaly\",\n \"confidence_indicator\": \"detected\",\n \"confidence_level\": 5,\n \"current_state\": \"detected\",\n \"description\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected #{\\\"label\\\": \\\"PCI\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"}'s mailbox)\",\n \"description_short\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected a leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"})\",\n \"description_text\": \"SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)\",\n \"description_tooltips\": [\n \"Member\",\n \"John Doe\",\n \"Credit card number\",\n \"john.doe@mycorp.com\",\n \"2026-01-13T17:00:12\",\n \"Detected\"\n ],\n \"event_metadata\": {\n \"sender_address\": \"john.doe@mycorp.com\",\n \"is_internal\": null,\n \"spam_verdict\": null,\n \"is_outgoing\": null,\n \"dlp_detections\": [\n \"Credit card number\"\n ]\n },\n \"event_trigger\": {\n \"type\": \"Policy\",\n \"id\": 17682366990433\n },\n \"matched_security_tool\": \"avanan_dlp\",\n \"metadata_json\": {\n \"impersonation_description\": \"Other\",\n \"impersonate_nickname_new\": null\n },\n \"multi\": false,\n \"policy_rule_id\": 17682366990433,\n \"saas\": \"office365_emails\",\n \"severity\": 3\n },\n \"entity_security_result\": {},\n \"saas_info\": {\n \"account_id\": [\n \"00000000-0000-0000-0000-000000000000\"\n ],\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_type\": \"office365_emails_email\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_creation_time\": null,\n \"saas_spam_verdict\": null\n },\n \"security_event_action\": [\n {\n \"actor\": \"checkpoint\",\n \"sec_event_id\": \"00000000000000000000000000000000\",\n \"error\": \"\",\n \"create_time\": \"2026-01-13T17:00:24.438085Z\",\n \"action_type\": \"send_email_to\"\n }\n ],\n \"time\": \"2026-01-13T17:00:24.508990Z\",\n \"_id\": \"11111111111111111111111111111111111111111111111111111111111\"\n },\n \"entity\": {\n \"entity_info\": {\n \"customer_cluster\": \"8\",\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"Check Point\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:17.465214Z\",\n \"entity_expiration\": 1783962017,\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_type\": \"office365_emails_email\",\n \"entity_updated\": \"2026-01-13T17:00:17.465218Z\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"33333333333333333333333333333333\",\n \"attachment_count\": 0,\n \"attachments\": [],\n \"bcc\": [],\n \"bcc_user\": [],\n \"body_content_type\": \"HTML\",\n \"cc\": [],\n \"cc_user\": [],\n \"containers_ids\": null,\n \"containers_names\": null,\n \"dkim_result\": \"none\",\n \"dmarc_result\": \"none\",\n \"email_split\": \"original\",\n \"encryption_status\": null,\n \"envelope_from\": null,\n \"first_folder_name\": null,\n \"folder_history\": [],\n \"forwarder_email\": null,\n \"from_domain\": \"mycorp.com\",\n \"from_email\": \"john.doe@mycorp.com\",\n \"from_id\": \"00000000-0000-0000-0000-000000000000\",\n \"from_name\": \"John Doe\",\n \"geo_city\": \"Rennes\",\n \"geo_country\": \"France\",\n \"geo_region\": \"Ille-et-Vilaine\",\n \"has_calendar_event\": false,\n \"has_encrypted_attachments\": false,\n \"has_internal_recipient\": false,\n \"insert_time_sqs\": \"2026-01-13T17:00:17.147000Z\",\n \"internet_message_id\": \"<O000000000000000000000000000000000@example.com>\",\n \"is_attachment_changed\": false,\n \"is_attachment_restored\": false,\n \"is_body_changed\": false,\n \"is_deleted\": false,\n \"is_encrypted_attachments_removed\": null,\n \"is_first_in_junk\": null,\n \"is_group_user\": null,\n \"is_in_junk\": null,\n \"is_in_s3_quarantine\": false,\n \"is_incoming\": false,\n \"is_inline_handled\": false,\n \"is_internal\": false,\n \"is_links_replaced\": false,\n \"is_outgoing\": true,\n \"is_quarantine_notification\": false,\n \"is_quarantine_user_notification\": false,\n \"is_quarantined\": false,\n \"is_read\": null,\n \"is_restore_declined\": false,\n \"is_restore_requested\": false,\n \"is_restored\": false,\n \"is_sent_from_internal\": true,\n \"is_signed\": false,\n \"is_spam_header_added\": false,\n \"is_splittable\": true,\n \"is_subject_changed\": false,\n \"is_wd_rescan\": false,\n \"manager_address\": null,\n \"matched_workflows\": null,\n \"mode\": \"monitor\",\n \"ms_quarantine_status\": null,\n \"ms_quarantine_verdict_type\": null,\n \"network_message_id\": \"66666666-6666-6666-6666-666666666666\",\n \"orig_message_id\": null,\n \"orig_recipient\": \"john.doe@mycorp.com\",\n \"orig_subject\": null,\n \"password_protected_require_password_time\": null,\n \"password_protected_restore_time\": null,\n \"password_protected_status\": null,\n \"password_protected_uuid\": null,\n \"quarantine_actor\": null,\n \"quarantine_time\": null,\n \"quarantine_uuid\": null,\n \"recipients\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_hash\": \"dc44eaf82ea2617fa505c3186253638b\",\n \"recipients_journal\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"reply_to_email\": null,\n \"reply_to_nickname\": null,\n \"report_phishing_blacklist_time\": null,\n \"report_phishing_decline_actor\": null,\n \"report_phishing_decline_reason\": null,\n \"report_phishing_decline_time\": null,\n \"report_phishing_detection_time\": null,\n \"report_phishing_email_hash_md5\": null,\n \"report_phishing_original\": null,\n \"report_phishing_service_name\": null,\n \"report_phishing_service_type\": null,\n \"report_phishing_source\": null,\n \"request_password_at\": null,\n \"restore_actor\": null,\n \"restore_commentary\": null,\n \"restore_decline_actor\": null,\n \"restore_decline_reason\": null,\n \"restore_decline_time\": null,\n \"restore_request_actor_type\": null,\n \"restore_request_source\": null,\n \"restore_request_time\": null,\n \"restore_time\": null,\n \"restored_message_id\": null,\n \"saas_phishing_verdict\": null,\n \"saas_spam_verdict\": \"1\",\n \"sender_client_ip\": \"1.2.3.4\",\n \"sender_server_ip\": \"2001:db8::2fe5\",\n \"sent_datetime\": \"2026-01-13T17:00:12Z\",\n \"size\": 19472,\n \"smart_banner_category\": null,\n \"source\": \"mta\",\n \"spf_result\": null,\n \"subject\": \"Credit card number\",\n \"to\": [\n \"jane.doe@test.com\"\n ],\n \"to_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"workflow\": null\n },\n \"entity_security_result\": {\n \"ap\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 71.57221,\n \"status_description\": null,\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ap\",\n \"payload\": {\n \"reasons_by_category_list\": [],\n \"reasons_by_category\": {},\n \"reasons\": []\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"avanan_ap_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"combined_dlp_hit_count\": 1,\n \"combined_verdict\": {\n \"dlp\": \"leak\",\n \"ms_defender\": \"clean\",\n \"ap\": \"clean\"\n },\n \"dlp\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"DLP rule match: PCI\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"dlp\",\n \"payload\": {\n \"matches_dlp_rules\": [\n \"PCI\"\n ],\n \"found_text\": [\n \"****************111\"\n ],\n \"scan_details\": [\n \"Credit card number (likely): ****************111\"\n ],\n \"hit_count\": 1\n },\n \"verdict\": \"leak\",\n \"security_result_entity_type\": \"avanan_dlp\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"findings_summary\": [\n {\n \"sectool_name\": \"avanan_dlp\",\n \"sectool_type\": \"dlp\",\n \"verdict\": \"leak\"\n }\n ],\n \"is_clean\": false,\n \"ms_defender\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ms_defender\",\n \"payload\": {\n \"bcl\": \"0\",\n \"policy_action\": \"delivered\",\n \"detection_reason\": \"non_spam\",\n \"scl\": \"1\",\n \"policy_applied\": \"none\"\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"ms_defender_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ]\n },\n \"saas_info\": {\n \"saas_actor_id\": \"john.doe@mycorp.com\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_actor_type\": \"office365_emails_user\",\n \"saas_entity_created\": \"2026-01-13T17:00:12Z\",\n \"saas_entity_type\": \"email\",\n \"saas_id\": \"office365_emails\"\n },\n \"time\": \"2026-01-13T17:00:34.076069Z\"\n }\n }\n}",
"event": {
"action": "send_email_to",
"category": [
"iam"
],
"provider": "avanan_dlp",
"reason": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"severity": 3,
"type": [
"info"
]
},
"@timestamp": "2026-01-13T17:00:24.508990Z",
"checkpoint": {
"harmony_email": {
"confidence": {
"indicator": "detected",
"level": 5
},
"saas_application": "office365_emails",
"scan_details": [
"Credit card number (likely): ****************111"
],
"verdict": {
"ap": "clean",
"dlp": "leak",
"ms_defender": "clean"
}
}
},
"cloud": {
"account": {
"id": "test"
},
"provider": "checkpoint",
"region": "eu-west-1"
},
"email": {
"direction": "outbound",
"from": {
"address": "john.doe@mycorp.com"
},
"local_id": "66666666-6666-6666-6666-666666666666",
"message_id": "<O000000000000000000000000000000000@example.com>",
"subject": "Credit card number",
"to": {
"address": [
"jane.doe@test.com"
]
}
},
"observer": {
"name": "emails-9097588-8",
"product": "Harmony Email and Collaboration",
"vendor": "Checkpoint"
},
"related": {
"hosts": [
"mycorp.com"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"description": "DLP rule match: PCI",
"id": "17682366990433"
},
"source": {
"address": "mycorp.com",
"domain": "mycorp.com",
"ip": "1.2.3.4",
"registered_domain": "mycorp.com",
"top_level_domain": "com",
"user": {
"email": "john.doe@mycorp.com",
"full_name": "John Doe",
"id": "00000000-0000-0000-0000-000000000000"
}
}
}
{
"message": "{\n \"event\": {\n \"security_event\": {\n \"entity_info\": {\n \"customer_cluster\": [\n \"8\"\n ],\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"checkpoint\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:22.780083+00:00\",\n \"entity_expiration\": 1784739622,\n \"entity_id\": \"00000000000000000000000000000000\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_sub_type\": \"dlp\",\n \"entity_type\": \"security_event\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"11111111111111111111111111111111\",\n \"category\": \"dlp\",\n \"confidence_indicator\": \"detected\",\n \"confidence_level\": 5,\n \"current_state\": \"detected\",\n \"description\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected #{\\\"label\\\": \\\"PCI\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"}'s mailbox)\",\n \"description_short\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected a leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"})\",\n \"description_text\": \"SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)\",\n \"description_tooltips\": [\n \"Member\",\n \"John Doe\",\n \"Credit card number\",\n \"john.doe@mycorp.com\",\n \"2026-01-13T17:00:12\",\n \"Detected\"\n ],\n \"event_metadata\": {\n \"sender_address\": \"john.doe@mycorp.com\",\n \"is_internal\": null,\n \"spam_verdict\": null,\n \"is_outgoing\": null,\n \"dlp_detections\": [\n \"Credit card number\"\n ]\n },\n \"event_trigger\": {\n \"type\": \"Policy\",\n \"id\": 17682366990433\n },\n \"matched_security_tool\": \"avanan_dlp\",\n \"metadata_json\": {\n \"impersonation_description\": \"Other\",\n \"impersonate_nickname_new\": null\n },\n \"multi\": false,\n \"policy_rule_id\": 17682366990433,\n \"saas\": \"office365_emails\",\n \"severity\": 3\n },\n \"entity_security_result\": {},\n \"saas_info\": {\n \"account_id\": [\n \"00000000-0000-0000-0000-000000000000\"\n ],\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_type\": \"office365_emails_email\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_creation_time\": null,\n \"saas_spam_verdict\": null\n },\n \"security_event_action\": [\n {\n \"actor\": \"checkpoint\",\n \"sec_event_id\": \"00000000000000000000000000000000\",\n \"error\": \"\",\n \"create_time\": \"2026-01-13T17:00:24.438085Z\",\n \"action_type\": \"send_email_to\"\n }\n ],\n \"time\": \"2026-01-13T17:00:24.508990Z\",\n \"_id\": \"11111111111111111111111111111111111111111111111111111111111\"\n },\n \"entity\": {\n \"entity_info\": {\n \"customer_cluster\": \"8\",\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"Check Point\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:17.465214Z\",\n \"entity_expiration\": 1783962017,\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_type\": \"office365_emails_email\",\n \"entity_updated\": \"2026-01-13T17:00:17.465218Z\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"33333333333333333333333333333333\",\n \"attachment_count\": 0,\n \"attachments\": [],\n \"bcc\": [],\n \"bcc_user\": [],\n \"body_content_type\": \"HTML\",\n \"cc\": [],\n \"cc_user\": [],\n \"containers_ids\": null,\n \"containers_names\": null,\n \"dkim_result\": \"none\",\n \"dmarc_result\": \"none\",\n \"email_split\": \"original\",\n \"encryption_status\": null,\n \"envelope_from\": null,\n \"first_folder_name\": null,\n \"folder_history\": [],\n \"forwarder_email\": null,\n \"from_domain\": \"mycorp.com\",\n \"from_email\": \"john.doe@mycorp.com\",\n \"from_id\": \"00000000-0000-0000-0000-000000000000\",\n \"from_name\": \"John Doe\",\n \"geo_city\": \"Rennes\",\n \"geo_country\": \"France\",\n \"geo_region\": \"Ille-et-Vilaine\",\n \"has_calendar_event\": false,\n \"has_encrypted_attachments\": false,\n \"has_internal_recipient\": false,\n \"insert_time_sqs\": \"2026-01-13T17:00:17.147000Z\",\n \"internet_message_id\": \"<O000000000000000000000000000000000@example.com>\",\n \"is_attachment_changed\": false,\n \"is_attachment_restored\": false,\n \"is_body_changed\": false,\n \"is_deleted\": false,\n \"is_encrypted_attachments_removed\": null,\n \"is_first_in_junk\": null,\n \"is_group_user\": null,\n \"is_in_junk\": null,\n \"is_in_s3_quarantine\": false,\n \"is_incoming\": false,\n \"is_inline_handled\": false,\n \"is_internal\": false,\n \"is_links_replaced\": false,\n \"is_outgoing\": true,\n \"is_quarantine_notification\": false,\n \"is_quarantine_user_notification\": false,\n \"is_quarantined\": false,\n \"is_read\": null,\n \"is_restore_declined\": false,\n \"is_restore_requested\": false,\n \"is_restored\": false,\n \"is_sent_from_internal\": true,\n \"is_signed\": false,\n \"is_spam_header_added\": false,\n \"is_splittable\": true,\n \"is_subject_changed\": false,\n \"is_wd_rescan\": false,\n \"manager_address\": null,\n \"matched_workflows\": null,\n \"mode\": \"monitor\",\n \"ms_quarantine_status\": null,\n \"ms_quarantine_verdict_type\": null,\n \"network_message_id\": \"66666666-6666-6666-6666-666666666666\",\n \"orig_message_id\": null,\n \"orig_recipient\": \"john.doe@mycorp.com\",\n \"orig_subject\": null,\n \"password_protected_require_password_time\": null,\n \"password_protected_restore_time\": null,\n \"password_protected_status\": null,\n \"password_protected_uuid\": null,\n \"quarantine_actor\": null,\n \"quarantine_time\": null,\n \"quarantine_uuid\": null,\n \"recipients\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_hash\": \"dc44eaf82ea2617fa505c3186253638b\",\n \"recipients_journal\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"reply_to_email\": null,\n \"reply_to_nickname\": null,\n \"report_phishing_blacklist_time\": null,\n \"report_phishing_decline_actor\": null,\n \"report_phishing_decline_reason\": null,\n \"report_phishing_decline_time\": null,\n \"report_phishing_detection_time\": null,\n \"report_phishing_email_hash_md5\": null,\n \"report_phishing_original\": null,\n \"report_phishing_service_name\": null,\n \"report_phishing_service_type\": null,\n \"report_phishing_source\": null,\n \"request_password_at\": null,\n \"restore_actor\": null,\n \"restore_commentary\": null,\n \"restore_decline_actor\": null,\n \"restore_decline_reason\": null,\n \"restore_decline_time\": null,\n \"restore_request_actor_type\": null,\n \"restore_request_source\": null,\n \"restore_request_time\": null,\n \"restore_time\": null,\n \"restored_message_id\": null,\n \"saas_phishing_verdict\": null,\n \"saas_spam_verdict\": \"1\",\n \"sender_client_ip\": \"1.2.3.4\",\n \"sender_server_ip\": \"2001:db8::2fe5\",\n \"sent_datetime\": \"2026-01-13T17:00:12Z\",\n \"size\": 19472,\n \"smart_banner_category\": null,\n \"source\": \"mta\",\n \"spf_result\": null,\n \"subject\": \"Credit card number\",\n \"to\": [\n \"jane.doe@test.com\"\n ],\n \"to_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"workflow\": null\n },\n \"entity_security_result\": {\n \"ap\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 71.57221,\n \"status_description\": null,\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ap\",\n \"payload\": {\n \"reasons_by_category_list\": [],\n \"reasons_by_category\": {},\n \"reasons\": []\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"avanan_ap_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"combined_dlp_hit_count\": 1,\n \"combined_verdict\": {\n \"dlp\": \"leak\",\n \"ms_defender\": \"clean\",\n \"ap\": \"clean\"\n },\n \"dlp\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"DLP rule match: PCI\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"dlp\",\n \"payload\": {\n \"matches_dlp_rules\": [\n \"PCI\"\n ],\n \"found_text\": [\n \"****************111\"\n ],\n \"scan_details\": [\n \"Credit card number (likely): ****************111\"\n ],\n \"hit_count\": 1\n },\n \"verdict\": \"leak\",\n \"security_result_entity_type\": \"avanan_dlp\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"findings_summary\": [\n {\n \"sectool_name\": \"avanan_dlp\",\n \"sectool_type\": \"dlp\",\n \"verdict\": \"leak\"\n }\n ],\n \"is_clean\": false,\n \"ms_defender\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ms_defender\",\n \"payload\": {\n \"bcl\": \"0\",\n \"policy_action\": \"delivered\",\n \"detection_reason\": \"non_spam\",\n \"scl\": \"1\",\n \"policy_applied\": \"none\"\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"ms_defender_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ]\n },\n \"saas_info\": {\n \"saas_actor_id\": \"john.doe@mycorp.com\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_actor_type\": \"office365_emails_user\",\n \"saas_entity_created\": \"2026-01-13T17:00:12Z\",\n \"saas_entity_type\": \"email\",\n \"saas_id\": \"office365_emails\"\n },\n \"time\": \"2026-01-13T17:00:34.076069Z\"\n }\n }\n}",
"event": {
"action": "send_email_to",
"category": [
"file"
],
"provider": "avanan_dlp",
"reason": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"severity": 3,
"type": [
"info"
]
},
"@timestamp": "2026-01-13T17:00:24.508990Z",
"checkpoint": {
"harmony_email": {
"confidence": {
"indicator": "detected",
"level": 5
},
"saas_application": "office365_emails",
"scan_details": [
"Credit card number (likely): ****************111"
],
"verdict": {
"ap": "clean",
"dlp": "leak",
"ms_defender": "clean"
}
}
},
"cloud": {
"account": {
"id": "test"
},
"provider": "checkpoint",
"region": "eu-west-1"
},
"email": {
"direction": "outbound",
"from": {
"address": "john.doe@mycorp.com"
},
"local_id": "66666666-6666-6666-6666-666666666666",
"message_id": "<O000000000000000000000000000000000@example.com>",
"subject": "Credit card number",
"to": {
"address": [
"jane.doe@test.com"
]
}
},
"observer": {
"name": "emails-9097588-8",
"product": "Harmony Email and Collaboration",
"vendor": "Checkpoint"
},
"related": {
"hosts": [
"mycorp.com"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"description": "DLP rule match: PCI",
"id": "17682366990433"
},
"source": {
"address": "mycorp.com",
"domain": "mycorp.com",
"ip": "1.2.3.4",
"registered_domain": "mycorp.com",
"top_level_domain": "com",
"user": {
"email": "john.doe@mycorp.com",
"full_name": "John Doe",
"id": "00000000-0000-0000-0000-000000000000"
}
}
}
{
"message": "{\n \"event\": {\n \"security_event\": {\n \"entity_info\": {\n \"customer_cluster\": [\n \"8\"\n ],\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"checkpoint\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:22.780083+00:00\",\n \"entity_expiration\": 1784739622,\n \"entity_id\": \"00000000000000000000000000000000\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_sub_type\": \"dlp\",\n \"entity_type\": \"security_event\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"11111111111111111111111111111111\",\n \"category\": \"malicious_url_click\",\n \"confidence_indicator\": \"detected\",\n \"confidence_level\": 5,\n \"current_state\": \"detected\",\n \"description\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected #{\\\"label\\\": \\\"PCI\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"}'s mailbox)\",\n \"description_short\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected a leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"})\",\n \"description_text\": \"SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)\",\n \"description_tooltips\": [\n \"Member\",\n \"John Doe\",\n \"Credit card number\",\n \"john.doe@mycorp.com\",\n \"2026-01-13T17:00:12\",\n \"Detected\"\n ],\n \"event_metadata\": {\n \"sender_address\": \"john.doe@mycorp.com\",\n \"is_internal\": null,\n \"spam_verdict\": null,\n \"is_outgoing\": null,\n \"dlp_detections\": [\n \"Credit card number\"\n ]\n },\n \"event_trigger\": {\n \"type\": \"Policy\",\n \"id\": 17682366990433\n },\n \"matched_security_tool\": \"avanan_dlp\",\n \"metadata_json\": {\n \"impersonation_description\": \"Other\",\n \"impersonate_nickname_new\": null\n },\n \"multi\": false,\n \"policy_rule_id\": 17682366990433,\n \"saas\": \"office365_emails\",\n \"severity\": 3\n },\n \"entity_security_result\": {},\n \"saas_info\": {\n \"account_id\": [\n \"00000000-0000-0000-0000-000000000000\"\n ],\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_type\": \"office365_emails_email\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_creation_time\": null,\n \"saas_spam_verdict\": null\n },\n \"security_event_action\": [\n {\n \"actor\": \"checkpoint\",\n \"sec_event_id\": \"00000000000000000000000000000000\",\n \"error\": \"\",\n \"create_time\": \"2026-01-13T17:00:24.438085Z\",\n \"action_type\": \"send_email_to\"\n }\n ],\n \"time\": \"2026-01-13T17:00:24.508990Z\",\n \"_id\": \"11111111111111111111111111111111111111111111111111111111111\"\n },\n \"entity\": {\n \"entity_info\": {\n \"customer_cluster\": \"8\",\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"Check Point\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:17.465214Z\",\n \"entity_expiration\": 1783962017,\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_type\": \"office365_emails_email\",\n \"entity_updated\": \"2026-01-13T17:00:17.465218Z\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"33333333333333333333333333333333\",\n \"attachment_count\": 0,\n \"attachments\": [],\n \"bcc\": [],\n \"bcc_user\": [],\n \"body_content_type\": \"HTML\",\n \"cc\": [],\n \"cc_user\": [],\n \"containers_ids\": null,\n \"containers_names\": null,\n \"dkim_result\": \"none\",\n \"dmarc_result\": \"none\",\n \"email_split\": \"original\",\n \"encryption_status\": null,\n \"envelope_from\": null,\n \"first_folder_name\": null,\n \"folder_history\": [],\n \"forwarder_email\": null,\n \"from_domain\": \"mycorp.com\",\n \"from_email\": \"john.doe@mycorp.com\",\n \"from_id\": \"00000000-0000-0000-0000-000000000000\",\n \"from_name\": \"John Doe\",\n \"geo_city\": \"Rennes\",\n \"geo_country\": \"France\",\n \"geo_region\": \"Ille-et-Vilaine\",\n \"has_calendar_event\": false,\n \"has_encrypted_attachments\": false,\n \"has_internal_recipient\": false,\n \"insert_time_sqs\": \"2026-01-13T17:00:17.147000Z\",\n \"internet_message_id\": \"<O000000000000000000000000000000000@example.com>\",\n \"is_attachment_changed\": false,\n \"is_attachment_restored\": false,\n \"is_body_changed\": false,\n \"is_deleted\": false,\n \"is_encrypted_attachments_removed\": null,\n \"is_first_in_junk\": null,\n \"is_group_user\": null,\n \"is_in_junk\": null,\n \"is_in_s3_quarantine\": false,\n \"is_incoming\": false,\n \"is_inline_handled\": false,\n \"is_internal\": false,\n \"is_links_replaced\": false,\n \"is_outgoing\": true,\n \"is_quarantine_notification\": false,\n \"is_quarantine_user_notification\": false,\n \"is_quarantined\": false,\n \"is_read\": null,\n \"is_restore_declined\": false,\n \"is_restore_requested\": false,\n \"is_restored\": false,\n \"is_sent_from_internal\": true,\n \"is_signed\": false,\n \"is_spam_header_added\": false,\n \"is_splittable\": true,\n \"is_subject_changed\": false,\n \"is_wd_rescan\": false,\n \"manager_address\": null,\n \"matched_workflows\": null,\n \"mode\": \"monitor\",\n \"ms_quarantine_status\": null,\n \"ms_quarantine_verdict_type\": null,\n \"network_message_id\": \"66666666-6666-6666-6666-666666666666\",\n \"orig_message_id\": null,\n \"orig_recipient\": \"john.doe@mycorp.com\",\n \"orig_subject\": null,\n \"password_protected_require_password_time\": null,\n \"password_protected_restore_time\": null,\n \"password_protected_status\": null,\n \"password_protected_uuid\": null,\n \"quarantine_actor\": null,\n \"quarantine_time\": null,\n \"quarantine_uuid\": null,\n \"recipients\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_hash\": \"dc44eaf82ea2617fa505c3186253638b\",\n \"recipients_journal\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"reply_to_email\": null,\n \"reply_to_nickname\": null,\n \"report_phishing_blacklist_time\": null,\n \"report_phishing_decline_actor\": null,\n \"report_phishing_decline_reason\": null,\n \"report_phishing_decline_time\": null,\n \"report_phishing_detection_time\": null,\n \"report_phishing_email_hash_md5\": null,\n \"report_phishing_original\": null,\n \"report_phishing_service_name\": null,\n \"report_phishing_service_type\": null,\n \"report_phishing_source\": null,\n \"request_password_at\": null,\n \"restore_actor\": null,\n \"restore_commentary\": null,\n \"restore_decline_actor\": null,\n \"restore_decline_reason\": null,\n \"restore_decline_time\": null,\n \"restore_request_actor_type\": null,\n \"restore_request_source\": null,\n \"restore_request_time\": null,\n \"restore_time\": null,\n \"restored_message_id\": null,\n \"saas_phishing_verdict\": null,\n \"saas_spam_verdict\": \"1\",\n \"sender_client_ip\": \"1.2.3.4\",\n \"sender_server_ip\": \"2001:db8::2fe5\",\n \"sent_datetime\": \"2026-01-13T17:00:12Z\",\n \"size\": 19472,\n \"smart_banner_category\": null,\n \"source\": \"mta\",\n \"spf_result\": null,\n \"subject\": \"Credit card number\",\n \"to\": [\n \"jane.doe@test.com\"\n ],\n \"to_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"workflow\": null\n },\n \"entity_security_result\": {\n \"ap\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 71.57221,\n \"status_description\": null,\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ap\",\n \"payload\": {\n \"reasons_by_category_list\": [],\n \"reasons_by_category\": {},\n \"reasons\": []\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"avanan_ap_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"combined_dlp_hit_count\": 1,\n \"combined_verdict\": {\n \"dlp\": \"leak\",\n \"ms_defender\": \"clean\",\n \"ap\": \"clean\"\n },\n \"dlp\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"DLP rule match: PCI\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"dlp\",\n \"payload\": {\n \"matches_dlp_rules\": [\n \"PCI\"\n ],\n \"found_text\": [\n \"****************111\"\n ],\n \"scan_details\": [\n \"Credit card number (likely): ****************111\"\n ],\n \"hit_count\": 1\n },\n \"verdict\": \"leak\",\n \"security_result_entity_type\": \"avanan_dlp\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"findings_summary\": [\n {\n \"sectool_name\": \"avanan_dlp\",\n \"sectool_type\": \"dlp\",\n \"verdict\": \"leak\"\n }\n ],\n \"is_clean\": false,\n \"ms_defender\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ms_defender\",\n \"payload\": {\n \"bcl\": \"0\",\n \"policy_action\": \"delivered\",\n \"detection_reason\": \"non_spam\",\n \"scl\": \"1\",\n \"policy_applied\": \"none\"\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"ms_defender_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ]\n },\n \"saas_info\": {\n \"saas_actor_id\": \"john.doe@mycorp.com\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_actor_type\": \"office365_emails_user\",\n \"saas_entity_created\": \"2026-01-13T17:00:12Z\",\n \"saas_entity_type\": \"email\",\n \"saas_id\": \"office365_emails\"\n },\n \"time\": \"2026-01-13T17:00:34.076069Z\"\n }\n }\n}",
"event": {
"action": "send_email_to",
"category": [
"threat"
],
"provider": "avanan_dlp",
"reason": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"severity": 3,
"type": [
"indicator"
]
},
"@timestamp": "2026-01-13T17:00:24.508990Z",
"checkpoint": {
"harmony_email": {
"confidence": {
"indicator": "detected",
"level": 5
},
"saas_application": "office365_emails",
"scan_details": [
"Credit card number (likely): ****************111"
],
"verdict": {
"ap": "clean",
"dlp": "leak",
"ms_defender": "clean"
}
}
},
"cloud": {
"account": {
"id": "test"
},
"provider": "checkpoint",
"region": "eu-west-1"
},
"email": {
"direction": "outbound",
"from": {
"address": "john.doe@mycorp.com"
},
"local_id": "66666666-6666-6666-6666-666666666666",
"message_id": "<O000000000000000000000000000000000@example.com>",
"subject": "Credit card number",
"to": {
"address": [
"jane.doe@test.com"
]
}
},
"observer": {
"name": "emails-9097588-8",
"product": "Harmony Email and Collaboration",
"vendor": "Checkpoint"
},
"related": {
"hosts": [
"mycorp.com"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"description": "DLP rule match: PCI",
"id": "17682366990433"
},
"source": {
"address": "mycorp.com",
"domain": "mycorp.com",
"ip": "1.2.3.4",
"registered_domain": "mycorp.com",
"top_level_domain": "com",
"user": {
"email": "john.doe@mycorp.com",
"full_name": "John Doe",
"id": "00000000-0000-0000-0000-000000000000"
}
}
}
{
"message": "{\n \"event\": {\n \"security_event\": {\n \"entity_info\": {\n \"customer_cluster\": [\n \"8\"\n ],\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"checkpoint\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:22.780083+00:00\",\n \"entity_expiration\": 1784739622,\n \"entity_id\": \"00000000000000000000000000000000\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_sub_type\": \"dlp\",\n \"entity_type\": \"security_event\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"11111111111111111111111111111111\",\n \"category\": \"malicious_url\",\n \"confidence_indicator\": \"detected\",\n \"confidence_level\": 5,\n \"current_state\": \"detected\",\n \"description\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected #{\\\"label\\\": \\\"PCI\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"}'s mailbox)\",\n \"description_short\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected a leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"})\",\n \"description_text\": \"SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)\",\n \"description_tooltips\": [\n \"Member\",\n \"John Doe\",\n \"Credit card number\",\n \"john.doe@mycorp.com\",\n \"2026-01-13T17:00:12\",\n \"Detected\"\n ],\n \"event_metadata\": {\n \"sender_address\": \"john.doe@mycorp.com\",\n \"is_internal\": null,\n \"spam_verdict\": null,\n \"is_outgoing\": null,\n \"dlp_detections\": [\n \"Credit card number\"\n ]\n },\n \"event_trigger\": {\n \"type\": \"Policy\",\n \"id\": 17682366990433\n },\n \"matched_security_tool\": \"avanan_dlp\",\n \"metadata_json\": {\n \"impersonation_description\": \"Other\",\n \"impersonate_nickname_new\": null\n },\n \"multi\": false,\n \"policy_rule_id\": 17682366990433,\n \"saas\": \"office365_emails\",\n \"severity\": 3\n },\n \"entity_security_result\": {},\n \"saas_info\": {\n \"account_id\": [\n \"00000000-0000-0000-0000-000000000000\"\n ],\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_type\": \"office365_emails_email\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_creation_time\": null,\n \"saas_spam_verdict\": null\n },\n \"security_event_action\": [\n {\n \"actor\": \"checkpoint\",\n \"sec_event_id\": \"00000000000000000000000000000000\",\n \"error\": \"\",\n \"create_time\": \"2026-01-13T17:00:24.438085Z\",\n \"action_type\": \"send_email_to\"\n }\n ],\n \"time\": \"2026-01-13T17:00:24.508990Z\",\n \"_id\": \"11111111111111111111111111111111111111111111111111111111111\"\n },\n \"entity\": {\n \"entity_info\": {\n \"customer_cluster\": \"8\",\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"Check Point\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:17.465214Z\",\n \"entity_expiration\": 1783962017,\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_type\": \"office365_emails_email\",\n \"entity_updated\": \"2026-01-13T17:00:17.465218Z\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"33333333333333333333333333333333\",\n \"attachment_count\": 0,\n \"attachments\": [],\n \"bcc\": [],\n \"bcc_user\": [],\n \"body_content_type\": \"HTML\",\n \"cc\": [],\n \"cc_user\": [],\n \"containers_ids\": null,\n \"containers_names\": null,\n \"dkim_result\": \"none\",\n \"dmarc_result\": \"none\",\n \"email_split\": \"original\",\n \"encryption_status\": null,\n \"envelope_from\": null,\n \"first_folder_name\": null,\n \"folder_history\": [],\n \"forwarder_email\": null,\n \"from_domain\": \"mycorp.com\",\n \"from_email\": \"john.doe@mycorp.com\",\n \"from_id\": \"00000000-0000-0000-0000-000000000000\",\n \"from_name\": \"John Doe\",\n \"geo_city\": \"Rennes\",\n \"geo_country\": \"France\",\n \"geo_region\": \"Ille-et-Vilaine\",\n \"has_calendar_event\": false,\n \"has_encrypted_attachments\": false,\n \"has_internal_recipient\": false,\n \"insert_time_sqs\": \"2026-01-13T17:00:17.147000Z\",\n \"internet_message_id\": \"<O000000000000000000000000000000000@example.com>\",\n \"is_attachment_changed\": false,\n \"is_attachment_restored\": false,\n \"is_body_changed\": false,\n \"is_deleted\": false,\n \"is_encrypted_attachments_removed\": null,\n \"is_first_in_junk\": null,\n \"is_group_user\": null,\n \"is_in_junk\": null,\n \"is_in_s3_quarantine\": false,\n \"is_incoming\": false,\n \"is_inline_handled\": false,\n \"is_internal\": false,\n \"is_links_replaced\": false,\n \"is_outgoing\": true,\n \"is_quarantine_notification\": false,\n \"is_quarantine_user_notification\": false,\n \"is_quarantined\": false,\n \"is_read\": null,\n \"is_restore_declined\": false,\n \"is_restore_requested\": false,\n \"is_restored\": false,\n \"is_sent_from_internal\": true,\n \"is_signed\": false,\n \"is_spam_header_added\": false,\n \"is_splittable\": true,\n \"is_subject_changed\": false,\n \"is_wd_rescan\": false,\n \"manager_address\": null,\n \"matched_workflows\": null,\n \"mode\": \"monitor\",\n \"ms_quarantine_status\": null,\n \"ms_quarantine_verdict_type\": null,\n \"network_message_id\": \"66666666-6666-6666-6666-666666666666\",\n \"orig_message_id\": null,\n \"orig_recipient\": \"john.doe@mycorp.com\",\n \"orig_subject\": null,\n \"password_protected_require_password_time\": null,\n \"password_protected_restore_time\": null,\n \"password_protected_status\": null,\n \"password_protected_uuid\": null,\n \"quarantine_actor\": null,\n \"quarantine_time\": null,\n \"quarantine_uuid\": null,\n \"recipients\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_hash\": \"dc44eaf82ea2617fa505c3186253638b\",\n \"recipients_journal\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"reply_to_email\": null,\n \"reply_to_nickname\": null,\n \"report_phishing_blacklist_time\": null,\n \"report_phishing_decline_actor\": null,\n \"report_phishing_decline_reason\": null,\n \"report_phishing_decline_time\": null,\n \"report_phishing_detection_time\": null,\n \"report_phishing_email_hash_md5\": null,\n \"report_phishing_original\": null,\n \"report_phishing_service_name\": null,\n \"report_phishing_service_type\": null,\n \"report_phishing_source\": null,\n \"request_password_at\": null,\n \"restore_actor\": null,\n \"restore_commentary\": null,\n \"restore_decline_actor\": null,\n \"restore_decline_reason\": null,\n \"restore_decline_time\": null,\n \"restore_request_actor_type\": null,\n \"restore_request_source\": null,\n \"restore_request_time\": null,\n \"restore_time\": null,\n \"restored_message_id\": null,\n \"saas_phishing_verdict\": null,\n \"saas_spam_verdict\": \"1\",\n \"sender_client_ip\": \"1.2.3.4\",\n \"sender_server_ip\": \"2001:db8::2fe5\",\n \"sent_datetime\": \"2026-01-13T17:00:12Z\",\n \"size\": 19472,\n \"smart_banner_category\": null,\n \"source\": \"mta\",\n \"spf_result\": null,\n \"subject\": \"Credit card number\",\n \"to\": [\n \"jane.doe@test.com\"\n ],\n \"to_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"workflow\": null\n },\n \"entity_security_result\": {\n \"ap\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 71.57221,\n \"status_description\": null,\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ap\",\n \"payload\": {\n \"reasons_by_category_list\": [],\n \"reasons_by_category\": {},\n \"reasons\": []\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"avanan_ap_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"combined_dlp_hit_count\": 1,\n \"combined_verdict\": {\n \"dlp\": \"leak\",\n \"ms_defender\": \"clean\",\n \"ap\": \"clean\"\n },\n \"dlp\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"DLP rule match: PCI\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"dlp\",\n \"payload\": {\n \"matches_dlp_rules\": [\n \"PCI\"\n ],\n \"found_text\": [\n \"****************111\"\n ],\n \"scan_details\": [\n \"Credit card number (likely): ****************111\"\n ],\n \"hit_count\": 1\n },\n \"verdict\": \"leak\",\n \"security_result_entity_type\": \"avanan_dlp\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"findings_summary\": [\n {\n \"sectool_name\": \"avanan_dlp\",\n \"sectool_type\": \"dlp\",\n \"verdict\": \"leak\"\n }\n ],\n \"is_clean\": false,\n \"ms_defender\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ms_defender\",\n \"payload\": {\n \"bcl\": \"0\",\n \"policy_action\": \"delivered\",\n \"detection_reason\": \"non_spam\",\n \"scl\": \"1\",\n \"policy_applied\": \"none\"\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"ms_defender_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ]\n },\n \"saas_info\": {\n \"saas_actor_id\": \"john.doe@mycorp.com\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_actor_type\": \"office365_emails_user\",\n \"saas_entity_created\": \"2026-01-13T17:00:12Z\",\n \"saas_entity_type\": \"email\",\n \"saas_id\": \"office365_emails\"\n },\n \"time\": \"2026-01-13T17:00:34.076069Z\"\n }\n }\n}",
"event": {
"action": "send_email_to",
"category": [
"threat"
],
"provider": "avanan_dlp",
"reason": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"severity": 3,
"type": [
"indicator"
]
},
"@timestamp": "2026-01-13T17:00:24.508990Z",
"checkpoint": {
"harmony_email": {
"confidence": {
"indicator": "detected",
"level": 5
},
"saas_application": "office365_emails",
"scan_details": [
"Credit card number (likely): ****************111"
],
"verdict": {
"ap": "clean",
"dlp": "leak",
"ms_defender": "clean"
}
}
},
"cloud": {
"account": {
"id": "test"
},
"provider": "checkpoint",
"region": "eu-west-1"
},
"email": {
"direction": "outbound",
"from": {
"address": "john.doe@mycorp.com"
},
"local_id": "66666666-6666-6666-6666-666666666666",
"message_id": "<O000000000000000000000000000000000@example.com>",
"subject": "Credit card number",
"to": {
"address": [
"jane.doe@test.com"
]
}
},
"observer": {
"name": "emails-9097588-8",
"product": "Harmony Email and Collaboration",
"vendor": "Checkpoint"
},
"related": {
"hosts": [
"mycorp.com"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"description": "DLP rule match: PCI",
"id": "17682366990433"
},
"source": {
"address": "mycorp.com",
"domain": "mycorp.com",
"ip": "1.2.3.4",
"registered_domain": "mycorp.com",
"top_level_domain": "com",
"user": {
"email": "john.doe@mycorp.com",
"full_name": "John Doe",
"id": "00000000-0000-0000-0000-000000000000"
}
}
}
{
"message": "{\n \"event\": {\n \"security_event\": {\n \"entity_info\": {\n \"customer_cluster\": [\n \"8\"\n ],\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"checkpoint\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:22.780083+00:00\",\n \"entity_expiration\": 1784739622,\n \"entity_id\": \"00000000000000000000000000000000\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_sub_type\": \"dlp\",\n \"entity_type\": \"security_event\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"11111111111111111111111111111111\",\n \"category\": \"malware\",\n \"confidence_indicator\": \"detected\",\n \"confidence_level\": 5,\n \"current_state\": \"detected\",\n \"description\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected #{\\\"label\\\": \\\"PCI\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"}'s mailbox)\",\n \"description_short\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected a leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"})\",\n \"description_text\": \"SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)\",\n \"description_tooltips\": [\n \"Member\",\n \"John Doe\",\n \"Credit card number\",\n \"john.doe@mycorp.com\",\n \"2026-01-13T17:00:12\",\n \"Detected\"\n ],\n \"event_metadata\": {\n \"sender_address\": \"john.doe@mycorp.com\",\n \"is_internal\": null,\n \"spam_verdict\": null,\n \"is_outgoing\": null,\n \"dlp_detections\": [\n \"Credit card number\"\n ]\n },\n \"event_trigger\": {\n \"type\": \"Policy\",\n \"id\": 17682366990433\n },\n \"matched_security_tool\": \"avanan_dlp\",\n \"metadata_json\": {\n \"impersonation_description\": \"Other\",\n \"impersonate_nickname_new\": null\n },\n \"multi\": false,\n \"policy_rule_id\": 17682366990433,\n \"saas\": \"office365_emails\",\n \"severity\": 3\n },\n \"entity_security_result\": {},\n \"saas_info\": {\n \"account_id\": [\n \"00000000-0000-0000-0000-000000000000\"\n ],\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_type\": \"office365_emails_email\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_creation_time\": null,\n \"saas_spam_verdict\": null\n },\n \"security_event_action\": [\n {\n \"actor\": \"checkpoint\",\n \"sec_event_id\": \"00000000000000000000000000000000\",\n \"error\": \"\",\n \"create_time\": \"2026-01-13T17:00:24.438085Z\",\n \"action_type\": \"send_email_to\"\n }\n ],\n \"time\": \"2026-01-13T17:00:24.508990Z\",\n \"_id\": \"11111111111111111111111111111111111111111111111111111111111\"\n },\n \"entity\": {\n \"entity_info\": {\n \"customer_cluster\": \"8\",\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"Check Point\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:17.465214Z\",\n \"entity_expiration\": 1783962017,\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_type\": \"office365_emails_email\",\n \"entity_updated\": \"2026-01-13T17:00:17.465218Z\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"33333333333333333333333333333333\",\n \"attachment_count\": 0,\n \"attachments\": [],\n \"bcc\": [],\n \"bcc_user\": [],\n \"body_content_type\": \"HTML\",\n \"cc\": [],\n \"cc_user\": [],\n \"containers_ids\": null,\n \"containers_names\": null,\n \"dkim_result\": \"none\",\n \"dmarc_result\": \"none\",\n \"email_split\": \"original\",\n \"encryption_status\": null,\n \"envelope_from\": null,\n \"first_folder_name\": null,\n \"folder_history\": [],\n \"forwarder_email\": null,\n \"from_domain\": \"mycorp.com\",\n \"from_email\": \"john.doe@mycorp.com\",\n \"from_id\": \"00000000-0000-0000-0000-000000000000\",\n \"from_name\": \"John Doe\",\n \"geo_city\": \"Rennes\",\n \"geo_country\": \"France\",\n \"geo_region\": \"Ille-et-Vilaine\",\n \"has_calendar_event\": false,\n \"has_encrypted_attachments\": false,\n \"has_internal_recipient\": false,\n \"insert_time_sqs\": \"2026-01-13T17:00:17.147000Z\",\n \"internet_message_id\": \"<O000000000000000000000000000000000@example.com>\",\n \"is_attachment_changed\": false,\n \"is_attachment_restored\": false,\n \"is_body_changed\": false,\n \"is_deleted\": false,\n \"is_encrypted_attachments_removed\": null,\n \"is_first_in_junk\": null,\n \"is_group_user\": null,\n \"is_in_junk\": null,\n \"is_in_s3_quarantine\": false,\n \"is_incoming\": false,\n \"is_inline_handled\": false,\n \"is_internal\": false,\n \"is_links_replaced\": false,\n \"is_outgoing\": true,\n \"is_quarantine_notification\": false,\n \"is_quarantine_user_notification\": false,\n \"is_quarantined\": false,\n \"is_read\": null,\n \"is_restore_declined\": false,\n \"is_restore_requested\": false,\n \"is_restored\": false,\n \"is_sent_from_internal\": true,\n \"is_signed\": false,\n \"is_spam_header_added\": false,\n \"is_splittable\": true,\n \"is_subject_changed\": false,\n \"is_wd_rescan\": false,\n \"manager_address\": null,\n \"matched_workflows\": null,\n \"mode\": \"monitor\",\n \"ms_quarantine_status\": null,\n \"ms_quarantine_verdict_type\": null,\n \"network_message_id\": \"66666666-6666-6666-6666-666666666666\",\n \"orig_message_id\": null,\n \"orig_recipient\": \"john.doe@mycorp.com\",\n \"orig_subject\": null,\n \"password_protected_require_password_time\": null,\n \"password_protected_restore_time\": null,\n \"password_protected_status\": null,\n \"password_protected_uuid\": null,\n \"quarantine_actor\": null,\n \"quarantine_time\": null,\n \"quarantine_uuid\": null,\n \"recipients\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_hash\": \"dc44eaf82ea2617fa505c3186253638b\",\n \"recipients_journal\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"reply_to_email\": null,\n \"reply_to_nickname\": null,\n \"report_phishing_blacklist_time\": null,\n \"report_phishing_decline_actor\": null,\n \"report_phishing_decline_reason\": null,\n \"report_phishing_decline_time\": null,\n \"report_phishing_detection_time\": null,\n \"report_phishing_email_hash_md5\": null,\n \"report_phishing_original\": null,\n \"report_phishing_service_name\": null,\n \"report_phishing_service_type\": null,\n \"report_phishing_source\": null,\n \"request_password_at\": null,\n \"restore_actor\": null,\n \"restore_commentary\": null,\n \"restore_decline_actor\": null,\n \"restore_decline_reason\": null,\n \"restore_decline_time\": null,\n \"restore_request_actor_type\": null,\n \"restore_request_source\": null,\n \"restore_request_time\": null,\n \"restore_time\": null,\n \"restored_message_id\": null,\n \"saas_phishing_verdict\": null,\n \"saas_spam_verdict\": \"1\",\n \"sender_client_ip\": \"1.2.3.4\",\n \"sender_server_ip\": \"2001:db8::2fe5\",\n \"sent_datetime\": \"2026-01-13T17:00:12Z\",\n \"size\": 19472,\n \"smart_banner_category\": null,\n \"source\": \"mta\",\n \"spf_result\": null,\n \"subject\": \"Credit card number\",\n \"to\": [\n \"jane.doe@test.com\"\n ],\n \"to_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"workflow\": null\n },\n \"entity_security_result\": {\n \"ap\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 71.57221,\n \"status_description\": null,\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ap\",\n \"payload\": {\n \"reasons_by_category_list\": [],\n \"reasons_by_category\": {},\n \"reasons\": []\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"avanan_ap_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"combined_dlp_hit_count\": 1,\n \"combined_verdict\": {\n \"dlp\": \"leak\",\n \"ms_defender\": \"clean\",\n \"ap\": \"clean\"\n },\n \"dlp\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"DLP rule match: PCI\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"dlp\",\n \"payload\": {\n \"matches_dlp_rules\": [\n \"PCI\"\n ],\n \"found_text\": [\n \"****************111\"\n ],\n \"scan_details\": [\n \"Credit card number (likely): ****************111\"\n ],\n \"hit_count\": 1\n },\n \"verdict\": \"leak\",\n \"security_result_entity_type\": \"avanan_dlp\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"findings_summary\": [\n {\n \"sectool_name\": \"avanan_dlp\",\n \"sectool_type\": \"dlp\",\n \"verdict\": \"leak\"\n }\n ],\n \"is_clean\": false,\n \"ms_defender\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ms_defender\",\n \"payload\": {\n \"bcl\": \"0\",\n \"policy_action\": \"delivered\",\n \"detection_reason\": \"non_spam\",\n \"scl\": \"1\",\n \"policy_applied\": \"none\"\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"ms_defender_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ]\n },\n \"saas_info\": {\n \"saas_actor_id\": \"john.doe@mycorp.com\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_actor_type\": \"office365_emails_user\",\n \"saas_entity_created\": \"2026-01-13T17:00:12Z\",\n \"saas_entity_type\": \"email\",\n \"saas_id\": \"office365_emails\"\n },\n \"time\": \"2026-01-13T17:00:34.076069Z\"\n }\n }\n}",
"event": {
"action": "send_email_to",
"category": [
"malware"
],
"provider": "avanan_dlp",
"reason": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"severity": 3,
"type": [
"info"
]
},
"@timestamp": "2026-01-13T17:00:24.508990Z",
"checkpoint": {
"harmony_email": {
"confidence": {
"indicator": "detected",
"level": 5
},
"saas_application": "office365_emails",
"scan_details": [
"Credit card number (likely): ****************111"
],
"verdict": {
"ap": "clean",
"dlp": "leak",
"ms_defender": "clean"
}
}
},
"cloud": {
"account": {
"id": "test"
},
"provider": "checkpoint",
"region": "eu-west-1"
},
"email": {
"direction": "outbound",
"from": {
"address": "john.doe@mycorp.com"
},
"local_id": "66666666-6666-6666-6666-666666666666",
"message_id": "<O000000000000000000000000000000000@example.com>",
"subject": "Credit card number",
"to": {
"address": [
"jane.doe@test.com"
]
}
},
"observer": {
"name": "emails-9097588-8",
"product": "Harmony Email and Collaboration",
"vendor": "Checkpoint"
},
"related": {
"hosts": [
"mycorp.com"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"description": "DLP rule match: PCI",
"id": "17682366990433"
},
"source": {
"address": "mycorp.com",
"domain": "mycorp.com",
"ip": "1.2.3.4",
"registered_domain": "mycorp.com",
"top_level_domain": "com",
"user": {
"email": "john.doe@mycorp.com",
"full_name": "John Doe",
"id": "00000000-0000-0000-0000-000000000000"
}
}
}
{
"message": "{\n \"event\": {\n \"security_event\": {\n \"entity_info\": {\n \"customer_cluster\": [\n \"8\"\n ],\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"checkpoint\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-15T15:49:13.034571+00:00\",\n \"entity_expiration\": 1784908153,\n \"entity_id\": \"11111111111111111111111111111111\",\n \"entity_reporter\": \"emails-2167574-8\",\n \"entity_sub_type\": \"phishing\",\n \"entity_type\": \"security_event\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"22222222222222222222222222222222\",\n \"category\": \"phishing\",\n \"confidence_indicator\": \"malicious\",\n \"confidence_level\": 5,\n \"current_state\": \"remediated\",\n \"description\": \"Microsoft has detected #{\\\"label\\\": \\\"phishing\\\", \\\"entity_id\\\": \\\"33333333333333333333333333333333\\\", \\\"entity_type\\\": \\\"ms_defender_scan\\\"} in an email from #{\\\"label\\\": \\\"jane.doe@test.com\\\", \\\"entity_id\\\": \\\"ext:jane.doe@test.com\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\", \\\"disable_link\\\": true} - '#{\\\"label\\\": \\\"Phishing detection test\\\", \\\"entity_id\\\": \\\"33333333333333333333333333333333\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"}'s mailbox)\",\n \"description_short\": \"Microsoft has detected #{\\\"label\\\": \\\"phishing\\\", \\\"entity_id\\\": \\\"33333333333333333333333333333333\\\", \\\"entity_type\\\": \\\"ms_defender_scan\\\"} in '#{\\\"label\\\": \\\"Phishing detection test\\\", \\\"entity_id\\\": \\\"33333333333333333333333333333333\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}'(#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"})\",\n \"description_text\": \"Microsoft has detected phishing in an email from jane.doe@test.com - 'Phishing detection test' (john.doe@mycorp.com's mailbox)\",\n \"description_tooltips\": [\n \"john.doe@mycorp.com\",\n \"HostedContentFilterPolicy\",\n \"Phishing detection test\",\n \"Member\",\n \"9\",\n \"2026-01-15T15:32:58\",\n \"hphish\",\n \"0\",\n \"Jane Doe\",\n \"John Doe\",\n \"jane.doe@test.com\",\n \"High Confidence Phishing\",\n \"Quarantine\"\n ],\n \"event_metadata\": {\n \"sender_address\": \"jane.doe@test.com\",\n \"is_internal\": null,\n \"spam_verdict\": null,\n \"is_outgoing\": null\n },\n \"event_trigger\": {\n \"type\": \"Policy\",\n \"id\": 17682263080220852\n },\n \"latest_change_time\": 1768492164.3583243,\n \"matched_security_tool\": \"ms_defender_scan\",\n \"metadata_json\": {\n \"impersonation_description\": \"Other\",\n \"impersonate_nickname_new\": null\n },\n \"multi\": false,\n \"policy_rule_id\": 17682263080220852,\n \"remediation_actor\": \"microsoft\",\n \"saas\": \"office365_emails\",\n \"severity\": 3\n },\n \"entity_security_result\": {},\n \"saas_info\": {\n \"account_id\": [\n \"00000000-0000-0000-0000-000000000000\"\n ],\n \"entity_id\": \"33333333333333333333333333333333\",\n \"entity_type\": \"office365_emails_email\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_creation_time\": null,\n \"saas_spam_verdict\": null\n },\n \"security_event_action\": [\n {\n \"actor\": \"microsoft\",\n \"sec_event_id\": \"11111111111111111111111111111111\",\n \"error\": null,\n \"create_time\": \"2026-01-15T15:49:24.303412Z\",\n \"action_type\": \"quarantine_email\"\n }\n ],\n \"time\": \"2026-01-15T15:49:24.509565Z\",\n \"_id\": \"11111111111111111111111111111111111111111111111111111111111\"\n },\n \"entity\": {\n \"entity_info\": {\n \"customer_cluster\": \"8\",\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"Check Point\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-15T15:49:08.265530Z\",\n \"entity_expiration\": 1784130548,\n \"entity_id\": \"33333333333333333333333333333333\",\n \"entity_reporter\": \"emails-2167574-8\",\n \"entity_type\": \"office365_emails_email\",\n \"entity_updated\": \"2026-01-15T15:49:08.265532Z\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"d0784be61a1866240c5401818861e47e\",\n \"attachment_count\": 0,\n \"attachments\": [],\n \"bcc\": [],\n \"bcc_user\": [],\n \"body_content_type\": \"HTML\",\n \"cc\": [],\n \"cc_user\": [],\n \"container_ids\": null,\n \"containers_ids\": null,\n \"containers_names\": null,\n \"dkim_result\": \"pass\",\n \"dmarc_result\": \"pass\",\n \"email_split\": \"original\",\n \"encryption_status\": null,\n \"envelope_from\": null,\n \"first_folder_name\": null,\n \"folder_history\": [],\n \"forwarder_email\": null,\n \"from_domain\": \"mycorp.com\",\n \"from_email\": \"jane.doe@test.com\",\n \"from_id\": \"ext:jane.doe@test.com\",\n \"from_name\": \"Jane Doe\",\n \"has_calendar_event\": false,\n \"has_encrypted_attachments\": false,\n \"has_internal_recipient\": true,\n \"insert_time_sqs\": \"2026-01-15T15:44:08.033000Z\",\n \"internet_message_id\": \"<00000000000000000000000000000000000000000000000000@mail.example.com>\",\n \"is_attachment_changed\": false,\n \"is_attachment_restored\": false,\n \"is_body_changed\": false,\n \"is_deleted\": true,\n \"is_encrypted_attachments_removed\": null,\n \"is_first_in_junk\": null,\n \"is_group_user\": null,\n \"is_in_junk\": null,\n \"is_in_s3_quarantine\": true,\n \"is_incoming\": true,\n \"is_inline_handled\": false,\n \"is_internal\": false,\n \"is_links_replaced\": false,\n \"is_outgoing\": false,\n \"is_quarantine_notification\": false,\n \"is_quarantine_user_notification\": false,\n \"is_quarantined\": true,\n \"is_read\": null,\n \"is_restore_declined\": false,\n \"is_restore_requested\": false,\n \"is_restored\": false,\n \"is_sent_from_internal\": false,\n \"is_signed\": false,\n \"is_spam_header_added\": false,\n \"is_splittable\": false,\n \"is_subject_changed\": false,\n \"is_wd_rescan\": false,\n \"manager_address\": null,\n \"matched_workflows\": null,\n \"mode\": \"monitor\",\n \"ms_quarantine_status\": \"quarantined\",\n \"ms_quarantine_verdict_type\": \"high_conf_phish\",\n \"network_message_id\": \"66666666-6666-6666-6666-666666666666\",\n \"orig_message_id\": null,\n \"orig_recipient\": \"john.doe@mycorp.com\",\n \"orig_subject\": null,\n \"password_protected_require_password_time\": null,\n \"password_protected_restore_time\": null,\n \"password_protected_status\": null,\n \"password_protected_uuid\": null,\n \"quarantine_actor\": \"Microsoft\",\n \"quarantine_time\": \"2026-01-15T15:49:21.822454Z\",\n \"quarantine_uuid\": \"55555555555555555555555555555555\",\n \"recipients\": [\n \"john.doe@mycorp.com\"\n ],\n \"recipients_hash\": \"5c9a6d0fb68a2521418f82400c97eb25\",\n \"recipients_user\": [\n {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n }\n ],\n \"reply_to_email\": null,\n \"reply_to_nickname\": null,\n \"report_phishing_blacklist_time\": null,\n \"report_phishing_decline_actor\": null,\n \"report_phishing_decline_reason\": null,\n \"report_phishing_decline_time\": null,\n \"report_phishing_detection_time\": null,\n \"report_phishing_email_hash_md5\": null,\n \"report_phishing_original\": null,\n \"report_phishing_service_name\": null,\n \"report_phishing_service_type\": null,\n \"report_phishing_source\": null,\n \"request_password_at\": null,\n \"restore_actor\": null,\n \"restore_commentary\": null,\n \"restore_decline_actor\": null,\n \"restore_decline_reason\": null,\n \"restore_decline_time\": null,\n \"restore_request_actor_type\": null,\n \"restore_request_source\": null,\n \"restore_request_time\": null,\n \"restore_time\": null,\n \"restored_message_id\": null,\n \"saas_phishing_verdict\": null,\n \"saas_spam_verdict\": \"9\",\n \"sender_client_ip\": \"0.0.0.0\",\n \"sender_server_ip\": \"2001:db8::2fe5\",\n \"sent_datetime\": \"2026-01-15T15:32:46Z\",\n \"size\": 11383,\n \"smart_banner_category\": null,\n \"source\": \"mta\",\n \"spf_result\": \"pass\",\n \"subject\": \"Phishing detection test\",\n \"to\": [\n \"john.doe@mycorp.com\"\n ],\n \"to_user\": [\n {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n }\n ],\n \"workflow\": \"\",\n \"email_links\": [\n \"https://malicious.foo.com/account_WfWvvb_claim_gift_card\"\n ],\n \"email_links_domains\": [\n \"malicious.foo.com\"\n ]\n },\n \"entity_security_result\": {\n \"ap\": [\n {\n \"security_result_entity_id\": \"33333333333333333333333333333333\",\n \"score\": null,\n \"status_description\": \"Cleaned SCL due to ignore_scl_for_clean\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"match_spam_whitelist\",\n \"sec_type\": \"ap\",\n \"payload\": {\n \"reasons_by_category\": {},\n \"reasons\": [\n \"Marked as clean based on Check Point's assessment, overriding Microsoft's spam classification\",\n \"Marked as clean based on Check Point's assessment, overriding Microsoft's spam classification\",\n \"Link to newly registered domain\",\n \"Non ASCII info in headers\",\n \"Insignificant historical reputation with sender domain\",\n \"Insignificant historical reputation with sender\",\n \"Low-traffic 'From'-domain\",\n \"Link to a low-traffic site\",\n \"Suspicious-looking email text\",\n \"Email is marked as spam by O365\"\n ],\n \"probability_level\": \"2\",\n \"reasons_by_category_list\": []\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"avanan_ap_scan\",\n \"entity_id\": \"33333333333333333333333333333333\"\n }\n ],\n \"combined_verdict\": {\n \"shadow_it\": \"clean\",\n \"ap\": \"clean\",\n \"ms_defender\": \"hphsh\"\n },\n \"findings_summary\": [\n {\n \"sectool_name\": \"ms_defender_scan\",\n \"sectool_type\": \"ms_defender\",\n \"verdict\": \"hphsh\"\n }\n ],\n \"is_clean\": false,\n \"ms_defender\": [\n {\n \"security_result_entity_id\": \"33333333333333333333333333333333\",\n \"score\": 0,\n \"status_description\": \"\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ms_defender\",\n \"payload\": {\n \"bcl\": \"0\",\n \"policy_action\": \"quarantine\",\n \"detection_reason\": \"HostedContentFilterPolicy\",\n \"scl\": \"9\",\n \"policy_applied\": \"hphish\"\n },\n \"verdict\": \"hphsh\",\n \"security_result_entity_type\": \"ms_defender_scan\",\n \"entity_id\": \"33333333333333333333333333333333\"\n }\n ],\n \"shadow_it\": [\n {\n \"security_result_entity_id\": \"33333333333333333333333333333333\",\n \"score\": 0,\n \"status_description\": \"Clean\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"clean\",\n \"sec_type\": \"shadow_it\",\n \"payload\": {\n \"from\": \"jane.doe@test.com\",\n \"subject\": \"Phishing detection test\",\n \"domain\": \"\"\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"shadow_it_emails_scan\",\n \"entity_id\": \"33333333333333333333333333333333\"\n }\n ]\n },\n \"saas_info\": {\n \"saas_actor_id\": \"john.doe@mycorp.com\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_actor_type\": \"office365_emails_user\",\n \"saas_entity_created\": \"2026-01-15T15:32:58Z\",\n \"saas_entity_id\": null,\n \"saas_entity_type\": \"email\",\n \"saas_id\": \"office365_emails\"\n },\n \"time\": \"2026-01-15T15:49:22.551191Z\"\n }\n }\n}",
"event": {
"action": "quarantine_email",
"category": [
"threat"
],
"provider": "ms_defender_scan",
"reason": "Microsoft has detected phishing in an email from jane.doe@test.com - 'Phishing detection test' (john.doe@mycorp.com's mailbox)",
"severity": 3,
"type": [
"indicator"
]
},
"@timestamp": "2026-01-15T15:49:24.509565Z",
"checkpoint": {
"harmony_email": {
"confidence": {
"indicator": "malicious",
"level": 5
},
"saas_application": "office365_emails",
"verdict": {
"ap": "clean",
"ms_defender": "hphsh"
}
}
},
"cloud": {
"account": {
"id": "test"
},
"provider": "checkpoint",
"region": "eu-west-1"
},
"destination": {
"user": {
"email": "john.doe@mycorp.com",
"full_name": "John Doe"
}
},
"email": {
"direction": "inbound",
"from": {
"address": "jane.doe@test.com"
},
"local_id": "66666666-6666-6666-6666-666666666666",
"message_id": "<00000000000000000000000000000000000000000000000000@mail.example.com>",
"subject": "Phishing detection test",
"to": {
"address": [
"john.doe@mycorp.com"
]
}
},
"observer": {
"name": "emails-2167574-8",
"product": "Harmony Email and Collaboration",
"vendor": "Checkpoint"
},
"related": {
"hosts": [
"mycorp.com"
],
"ip": [
"0.0.0.0"
]
},
"rule": {
"id": "17682263080220852"
},
"source": {
"address": "mycorp.com",
"domain": "mycorp.com",
"ip": "0.0.0.0",
"registered_domain": "mycorp.com",
"top_level_domain": "com",
"user": {
"id": "ext:jane.doe@test.com"
}
},
"url": {
"domain": "malicious.foo.com",
"full": "https://malicious.foo.com/account_WfWvvb_claim_gift_card",
"original": "https://malicious.foo.com/account_WfWvvb_claim_gift_card",
"path": "/account_WfWvvb_claim_gift_card",
"port": 443,
"registered_domain": "foo.com",
"scheme": "https",
"subdomain": "malicious",
"top_level_domain": "com"
}
}
{
"message": "{\n \"event\": {\n \"security_event\": {\n \"entity_info\": {\n \"customer_cluster\": [\n \"8\"\n ],\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"checkpoint\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:22.780083+00:00\",\n \"entity_expiration\": 1784739622,\n \"entity_id\": \"00000000000000000000000000000000\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_sub_type\": \"dlp\",\n \"entity_type\": \"security_event\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"11111111111111111111111111111111\",\n \"category\": \"shadow_it\",\n \"confidence_indicator\": \"detected\",\n \"confidence_level\": 5,\n \"current_state\": \"detected\",\n \"description\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected #{\\\"label\\\": \\\"PCI\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"}'s mailbox)\",\n \"description_short\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected a leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"})\",\n \"description_text\": \"SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)\",\n \"description_tooltips\": [\n \"Member\",\n \"John Doe\",\n \"Credit card number\",\n \"john.doe@mycorp.com\",\n \"2026-01-13T17:00:12\",\n \"Detected\"\n ],\n \"event_metadata\": {\n \"sender_address\": \"john.doe@mycorp.com\",\n \"is_internal\": null,\n \"spam_verdict\": null,\n \"is_outgoing\": null,\n \"dlp_detections\": [\n \"Credit card number\"\n ]\n },\n \"event_trigger\": {\n \"type\": \"Policy\",\n \"id\": 17682366990433\n },\n \"matched_security_tool\": \"avanan_dlp\",\n \"metadata_json\": {\n \"impersonation_description\": \"Other\",\n \"impersonate_nickname_new\": null\n },\n \"multi\": false,\n \"policy_rule_id\": 17682366990433,\n \"saas\": \"office365_emails\",\n \"severity\": 3\n },\n \"entity_security_result\": {},\n \"saas_info\": {\n \"account_id\": [\n \"00000000-0000-0000-0000-000000000000\"\n ],\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_type\": \"office365_emails_email\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_creation_time\": null,\n \"saas_spam_verdict\": null\n },\n \"security_event_action\": [\n {\n \"actor\": \"checkpoint\",\n \"sec_event_id\": \"00000000000000000000000000000000\",\n \"error\": \"\",\n \"create_time\": \"2026-01-13T17:00:24.438085Z\",\n \"action_type\": \"send_email_to\"\n }\n ],\n \"time\": \"2026-01-13T17:00:24.508990Z\",\n \"_id\": \"11111111111111111111111111111111111111111111111111111111111\"\n },\n \"entity\": {\n \"entity_info\": {\n \"customer_cluster\": \"8\",\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"Check Point\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:17.465214Z\",\n \"entity_expiration\": 1783962017,\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_type\": \"office365_emails_email\",\n \"entity_updated\": \"2026-01-13T17:00:17.465218Z\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"33333333333333333333333333333333\",\n \"attachment_count\": 0,\n \"attachments\": [],\n \"bcc\": [],\n \"bcc_user\": [],\n \"body_content_type\": \"HTML\",\n \"cc\": [],\n \"cc_user\": [],\n \"containers_ids\": null,\n \"containers_names\": null,\n \"dkim_result\": \"none\",\n \"dmarc_result\": \"none\",\n \"email_split\": \"original\",\n \"encryption_status\": null,\n \"envelope_from\": null,\n \"first_folder_name\": null,\n \"folder_history\": [],\n \"forwarder_email\": null,\n \"from_domain\": \"mycorp.com\",\n \"from_email\": \"john.doe@mycorp.com\",\n \"from_id\": \"00000000-0000-0000-0000-000000000000\",\n \"from_name\": \"John Doe\",\n \"geo_city\": \"Rennes\",\n \"geo_country\": \"France\",\n \"geo_region\": \"Ille-et-Vilaine\",\n \"has_calendar_event\": false,\n \"has_encrypted_attachments\": false,\n \"has_internal_recipient\": false,\n \"insert_time_sqs\": \"2026-01-13T17:00:17.147000Z\",\n \"internet_message_id\": \"<O000000000000000000000000000000000@example.com>\",\n \"is_attachment_changed\": false,\n \"is_attachment_restored\": false,\n \"is_body_changed\": false,\n \"is_deleted\": false,\n \"is_encrypted_attachments_removed\": null,\n \"is_first_in_junk\": null,\n \"is_group_user\": null,\n \"is_in_junk\": null,\n \"is_in_s3_quarantine\": false,\n \"is_incoming\": false,\n \"is_inline_handled\": false,\n \"is_internal\": false,\n \"is_links_replaced\": false,\n \"is_outgoing\": true,\n \"is_quarantine_notification\": false,\n \"is_quarantine_user_notification\": false,\n \"is_quarantined\": false,\n \"is_read\": null,\n \"is_restore_declined\": false,\n \"is_restore_requested\": false,\n \"is_restored\": false,\n \"is_sent_from_internal\": true,\n \"is_signed\": false,\n \"is_spam_header_added\": false,\n \"is_splittable\": true,\n \"is_subject_changed\": false,\n \"is_wd_rescan\": false,\n \"manager_address\": null,\n \"matched_workflows\": null,\n \"mode\": \"monitor\",\n \"ms_quarantine_status\": null,\n \"ms_quarantine_verdict_type\": null,\n \"network_message_id\": \"66666666-6666-6666-6666-666666666666\",\n \"orig_message_id\": null,\n \"orig_recipient\": \"john.doe@mycorp.com\",\n \"orig_subject\": null,\n \"password_protected_require_password_time\": null,\n \"password_protected_restore_time\": null,\n \"password_protected_status\": null,\n \"password_protected_uuid\": null,\n \"quarantine_actor\": null,\n \"quarantine_time\": null,\n \"quarantine_uuid\": null,\n \"recipients\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_hash\": \"dc44eaf82ea2617fa505c3186253638b\",\n \"recipients_journal\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"reply_to_email\": null,\n \"reply_to_nickname\": null,\n \"report_phishing_blacklist_time\": null,\n \"report_phishing_decline_actor\": null,\n \"report_phishing_decline_reason\": null,\n \"report_phishing_decline_time\": null,\n \"report_phishing_detection_time\": null,\n \"report_phishing_email_hash_md5\": null,\n \"report_phishing_original\": null,\n \"report_phishing_service_name\": null,\n \"report_phishing_service_type\": null,\n \"report_phishing_source\": null,\n \"request_password_at\": null,\n \"restore_actor\": null,\n \"restore_commentary\": null,\n \"restore_decline_actor\": null,\n \"restore_decline_reason\": null,\n \"restore_decline_time\": null,\n \"restore_request_actor_type\": null,\n \"restore_request_source\": null,\n \"restore_request_time\": null,\n \"restore_time\": null,\n \"restored_message_id\": null,\n \"saas_phishing_verdict\": null,\n \"saas_spam_verdict\": \"1\",\n \"sender_client_ip\": \"1.2.3.4\",\n \"sender_server_ip\": \"2001:db8::2fe5\",\n \"sent_datetime\": \"2026-01-13T17:00:12Z\",\n \"size\": 19472,\n \"smart_banner_category\": null,\n \"source\": \"mta\",\n \"spf_result\": null,\n \"subject\": \"Credit card number\",\n \"to\": [\n \"jane.doe@test.com\"\n ],\n \"to_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"workflow\": null\n },\n \"entity_security_result\": {\n \"ap\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 71.57221,\n \"status_description\": null,\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ap\",\n \"payload\": {\n \"reasons_by_category_list\": [],\n \"reasons_by_category\": {},\n \"reasons\": []\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"avanan_ap_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"combined_dlp_hit_count\": 1,\n \"combined_verdict\": {\n \"dlp\": \"leak\",\n \"ms_defender\": \"clean\",\n \"ap\": \"clean\"\n },\n \"dlp\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"DLP rule match: PCI\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"dlp\",\n \"payload\": {\n \"matches_dlp_rules\": [\n \"PCI\"\n ],\n \"found_text\": [\n \"****************111\"\n ],\n \"scan_details\": [\n \"Credit card number (likely): ****************111\"\n ],\n \"hit_count\": 1\n },\n \"verdict\": \"leak\",\n \"security_result_entity_type\": \"avanan_dlp\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"findings_summary\": [\n {\n \"sectool_name\": \"avanan_dlp\",\n \"sectool_type\": \"dlp\",\n \"verdict\": \"leak\"\n }\n ],\n \"is_clean\": false,\n \"ms_defender\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ms_defender\",\n \"payload\": {\n \"bcl\": \"0\",\n \"policy_action\": \"delivered\",\n \"detection_reason\": \"non_spam\",\n \"scl\": \"1\",\n \"policy_applied\": \"none\"\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"ms_defender_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ]\n },\n \"saas_info\": {\n \"saas_actor_id\": \"john.doe@mycorp.com\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_actor_type\": \"office365_emails_user\",\n \"saas_entity_created\": \"2026-01-13T17:00:12Z\",\n \"saas_entity_type\": \"email\",\n \"saas_id\": \"office365_emails\"\n },\n \"time\": \"2026-01-13T17:00:34.076069Z\"\n }\n }\n}",
"event": {
"action": "send_email_to",
"category": [
"host"
],
"provider": "avanan_dlp",
"reason": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"severity": 3,
"type": [
"info"
]
},
"@timestamp": "2026-01-13T17:00:24.508990Z",
"checkpoint": {
"harmony_email": {
"confidence": {
"indicator": "detected",
"level": 5
},
"saas_application": "office365_emails",
"scan_details": [
"Credit card number (likely): ****************111"
],
"verdict": {
"ap": "clean",
"dlp": "leak",
"ms_defender": "clean"
}
}
},
"cloud": {
"account": {
"id": "test"
},
"provider": "checkpoint",
"region": "eu-west-1"
},
"email": {
"direction": "outbound",
"from": {
"address": "john.doe@mycorp.com"
},
"local_id": "66666666-6666-6666-6666-666666666666",
"message_id": "<O000000000000000000000000000000000@example.com>",
"subject": "Credit card number",
"to": {
"address": [
"jane.doe@test.com"
]
}
},
"observer": {
"name": "emails-9097588-8",
"product": "Harmony Email and Collaboration",
"vendor": "Checkpoint"
},
"related": {
"hosts": [
"mycorp.com"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"description": "DLP rule match: PCI",
"id": "17682366990433"
},
"source": {
"address": "mycorp.com",
"domain": "mycorp.com",
"ip": "1.2.3.4",
"registered_domain": "mycorp.com",
"top_level_domain": "com",
"user": {
"email": "john.doe@mycorp.com",
"full_name": "John Doe",
"id": "00000000-0000-0000-0000-000000000000"
}
}
}
{
"message": "{\n \"event\": {\n \"security_event\": {\n \"entity_info\": {\n \"customer_cluster\": [\n \"8\"\n ],\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"checkpoint\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:22.780083+00:00\",\n \"entity_expiration\": 1784739622,\n \"entity_id\": \"00000000000000000000000000000000\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_sub_type\": \"dlp\",\n \"entity_type\": \"security_event\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"11111111111111111111111111111111\",\n \"category\": \"suspicious malware\",\n \"confidence_indicator\": \"detected\",\n \"confidence_level\": 5,\n \"current_state\": \"detected\",\n \"description\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected #{\\\"label\\\": \\\"PCI\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"}'s mailbox)\",\n \"description_short\": \"#{\\\"label\\\": \\\"SmartDLP\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"avanan_dlp\\\", \\\"disable_link\\\": true} has detected a leak in '#{\\\"label\\\": \\\"Credit card number\\\", \\\"entity_id\\\": \\\"22222222222222222222222222222222\\\", \\\"entity_type\\\": \\\"office365_emails_email\\\"}' (#{\\\"label\\\": \\\"john.doe@mycorp.com\\\", \\\"entity_id\\\": \\\"00000000-0000-0000-0000-000000000000\\\", \\\"entity_type\\\": \\\"office365_emails_user\\\"})\",\n \"description_text\": \"SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)\",\n \"description_tooltips\": [\n \"Member\",\n \"John Doe\",\n \"Credit card number\",\n \"john.doe@mycorp.com\",\n \"2026-01-13T17:00:12\",\n \"Detected\"\n ],\n \"event_metadata\": {\n \"sender_address\": \"john.doe@mycorp.com\",\n \"is_internal\": null,\n \"spam_verdict\": null,\n \"is_outgoing\": null,\n \"dlp_detections\": [\n \"Credit card number\"\n ]\n },\n \"event_trigger\": {\n \"type\": \"Policy\",\n \"id\": 17682366990433\n },\n \"matched_security_tool\": \"avanan_dlp\",\n \"metadata_json\": {\n \"impersonation_description\": \"Other\",\n \"impersonate_nickname_new\": null\n },\n \"multi\": false,\n \"policy_rule_id\": 17682366990433,\n \"saas\": \"office365_emails\",\n \"severity\": 3\n },\n \"entity_security_result\": {},\n \"saas_info\": {\n \"account_id\": [\n \"00000000-0000-0000-0000-000000000000\"\n ],\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_type\": \"office365_emails_email\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_creation_time\": null,\n \"saas_spam_verdict\": null\n },\n \"security_event_action\": [\n {\n \"actor\": \"checkpoint\",\n \"sec_event_id\": \"00000000000000000000000000000000\",\n \"error\": \"\",\n \"create_time\": \"2026-01-13T17:00:24.438085Z\",\n \"action_type\": \"send_email_to\"\n }\n ],\n \"time\": \"2026-01-13T17:00:24.508990Z\",\n \"_id\": \"11111111111111111111111111111111111111111111111111111111111\"\n },\n \"entity\": {\n \"entity_info\": {\n \"customer_cluster\": \"8\",\n \"customer_domain\": \"test\",\n \"customer_farm\": \"mt-prod-cp-eu-2\",\n \"customer_oem\": \"Check Point\",\n \"customer_region\": \"eu-west-1\",\n \"entity_created\": \"2026-01-13T17:00:17.465214Z\",\n \"entity_expiration\": 1783962017,\n \"entity_id\": \"22222222222222222222222222222222\",\n \"entity_reporter\": \"emails-9097588-8\",\n \"entity_type\": \"office365_emails_email\",\n \"entity_updated\": \"2026-01-13T17:00:17.465218Z\",\n \"locale\": \"en-us\"\n },\n \"entity_payload\": {\n \"aggregation_id\": \"33333333333333333333333333333333\",\n \"attachment_count\": 0,\n \"attachments\": [],\n \"bcc\": [],\n \"bcc_user\": [],\n \"body_content_type\": \"HTML\",\n \"cc\": [],\n \"cc_user\": [],\n \"containers_ids\": null,\n \"containers_names\": null,\n \"dkim_result\": \"none\",\n \"dmarc_result\": \"none\",\n \"email_split\": \"original\",\n \"encryption_status\": null,\n \"envelope_from\": null,\n \"first_folder_name\": null,\n \"folder_history\": [],\n \"forwarder_email\": null,\n \"from_domain\": \"mycorp.com\",\n \"from_email\": \"john.doe@mycorp.com\",\n \"from_id\": \"00000000-0000-0000-0000-000000000000\",\n \"from_name\": \"John Doe\",\n \"geo_city\": \"Rennes\",\n \"geo_country\": \"France\",\n \"geo_region\": \"Ille-et-Vilaine\",\n \"has_calendar_event\": false,\n \"has_encrypted_attachments\": false,\n \"has_internal_recipient\": false,\n \"insert_time_sqs\": \"2026-01-13T17:00:17.147000Z\",\n \"internet_message_id\": \"<O000000000000000000000000000000000@example.com>\",\n \"is_attachment_changed\": false,\n \"is_attachment_restored\": false,\n \"is_body_changed\": false,\n \"is_deleted\": false,\n \"is_encrypted_attachments_removed\": null,\n \"is_first_in_junk\": null,\n \"is_group_user\": null,\n \"is_in_junk\": null,\n \"is_in_s3_quarantine\": false,\n \"is_incoming\": false,\n \"is_inline_handled\": false,\n \"is_internal\": false,\n \"is_links_replaced\": false,\n \"is_outgoing\": true,\n \"is_quarantine_notification\": false,\n \"is_quarantine_user_notification\": false,\n \"is_quarantined\": false,\n \"is_read\": null,\n \"is_restore_declined\": false,\n \"is_restore_requested\": false,\n \"is_restored\": false,\n \"is_sent_from_internal\": true,\n \"is_signed\": false,\n \"is_spam_header_added\": false,\n \"is_splittable\": true,\n \"is_subject_changed\": false,\n \"is_wd_rescan\": false,\n \"manager_address\": null,\n \"matched_workflows\": null,\n \"mode\": \"monitor\",\n \"ms_quarantine_status\": null,\n \"ms_quarantine_verdict_type\": null,\n \"network_message_id\": \"66666666-6666-6666-6666-666666666666\",\n \"orig_message_id\": null,\n \"orig_recipient\": \"john.doe@mycorp.com\",\n \"orig_subject\": null,\n \"password_protected_require_password_time\": null,\n \"password_protected_restore_time\": null,\n \"password_protected_status\": null,\n \"password_protected_uuid\": null,\n \"quarantine_actor\": null,\n \"quarantine_time\": null,\n \"quarantine_uuid\": null,\n \"recipients\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_hash\": \"dc44eaf82ea2617fa505c3186253638b\",\n \"recipients_journal\": [\n \"jane.doe@test.com\"\n ],\n \"recipients_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"reply_to_email\": null,\n \"reply_to_nickname\": null,\n \"report_phishing_blacklist_time\": null,\n \"report_phishing_decline_actor\": null,\n \"report_phishing_decline_reason\": null,\n \"report_phishing_decline_time\": null,\n \"report_phishing_detection_time\": null,\n \"report_phishing_email_hash_md5\": null,\n \"report_phishing_original\": null,\n \"report_phishing_service_name\": null,\n \"report_phishing_service_type\": null,\n \"report_phishing_source\": null,\n \"request_password_at\": null,\n \"restore_actor\": null,\n \"restore_commentary\": null,\n \"restore_decline_actor\": null,\n \"restore_decline_reason\": null,\n \"restore_decline_time\": null,\n \"restore_request_actor_type\": null,\n \"restore_request_source\": null,\n \"restore_request_time\": null,\n \"restore_time\": null,\n \"restored_message_id\": null,\n \"saas_phishing_verdict\": null,\n \"saas_spam_verdict\": \"1\",\n \"sender_client_ip\": \"1.2.3.4\",\n \"sender_server_ip\": \"2001:db8::2fe5\",\n \"sent_datetime\": \"2026-01-13T17:00:12Z\",\n \"size\": 19472,\n \"smart_banner_category\": null,\n \"source\": \"mta\",\n \"spf_result\": null,\n \"subject\": \"Credit card number\",\n \"to\": [\n \"jane.doe@test.com\"\n ],\n \"to_user\": [\n {\n \"full_name\": \"jane.doe@test.com\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": true,\n \"av_license_enabled\": false,\n \"entity_id\": \"ext:jane.doe@test.com\",\n \"key\": \"jane.doe@test.com\",\n \"email\": \"jane.doe@test.com\"\n }\n ],\n \"workflow\": null\n },\n \"entity_security_result\": {\n \"ap\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 71.57221,\n \"status_description\": null,\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ap\",\n \"payload\": {\n \"reasons_by_category_list\": [],\n \"reasons_by_category\": {},\n \"reasons\": []\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"avanan_ap_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"combined_dlp_hit_count\": 1,\n \"combined_verdict\": {\n \"dlp\": \"leak\",\n \"ms_defender\": \"clean\",\n \"ap\": \"clean\"\n },\n \"dlp\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"DLP rule match: PCI\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"dlp\",\n \"payload\": {\n \"matches_dlp_rules\": [\n \"PCI\"\n ],\n \"found_text\": [\n \"****************111\"\n ],\n \"scan_details\": [\n \"Credit card number (likely): ****************111\"\n ],\n \"hit_count\": 1\n },\n \"verdict\": \"leak\",\n \"security_result_entity_type\": \"avanan_dlp\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ],\n \"findings_summary\": [\n {\n \"sectool_name\": \"avanan_dlp\",\n \"sectool_type\": \"dlp\",\n \"verdict\": \"leak\"\n }\n ],\n \"is_clean\": false,\n \"ms_defender\": [\n {\n \"security_result_entity_id\": \"22222222222222222222222222222222\",\n \"score\": 0,\n \"status_description\": \"\",\n \"entity_type\": \"office365_emails_email\",\n \"status_code\": \"0\",\n \"sec_type\": \"ms_defender\",\n \"payload\": {\n \"bcl\": \"0\",\n \"policy_action\": \"delivered\",\n \"detection_reason\": \"non_spam\",\n \"scl\": \"1\",\n \"policy_applied\": \"none\"\n },\n \"verdict\": \"clean\",\n \"security_result_entity_type\": \"ms_defender_scan\",\n \"entity_id\": \"22222222222222222222222222222222\"\n }\n ]\n },\n \"saas_info\": {\n \"saas_actor_id\": \"john.doe@mycorp.com\",\n \"saas_actor_payload\": {\n \"full_name\": \"John Doe\",\n \"is_deleted\": false,\n \"entity_type\": \"office365_emails_user\",\n \"is_external\": false,\n \"av_license_enabled\": true,\n \"entity_id\": \"00000000-0000-0000-0000-000000000000\",\n \"key\": \"John Doe\",\n \"email\": \"john.doe@mycorp.com\"\n },\n \"saas_actor_type\": \"office365_emails_user\",\n \"saas_entity_created\": \"2026-01-13T17:00:12Z\",\n \"saas_entity_type\": \"email\",\n \"saas_id\": \"office365_emails\"\n },\n \"time\": \"2026-01-13T17:00:34.076069Z\"\n }\n }\n}",
"event": {
"action": "send_email_to",
"category": [
"malware"
],
"provider": "avanan_dlp",
"reason": "SmartDLP has detected PCI leak in 'Credit card number' (john.doe@mycorp.com's mailbox)",
"severity": 3,
"type": [
"info"
]
},
"@timestamp": "2026-01-13T17:00:24.508990Z",
"checkpoint": {
"harmony_email": {
"confidence": {
"indicator": "detected",
"level": 5
},
"saas_application": "office365_emails",
"scan_details": [
"Credit card number (likely): ****************111"
],
"verdict": {
"ap": "clean",
"dlp": "leak",
"ms_defender": "clean"
}
}
},
"cloud": {
"account": {
"id": "test"
},
"provider": "checkpoint",
"region": "eu-west-1"
},
"email": {
"direction": "outbound",
"from": {
"address": "john.doe@mycorp.com"
},
"local_id": "66666666-6666-6666-6666-666666666666",
"message_id": "<O000000000000000000000000000000000@example.com>",
"subject": "Credit card number",
"to": {
"address": [
"jane.doe@test.com"
]
}
},
"observer": {
"name": "emails-9097588-8",
"product": "Harmony Email and Collaboration",
"vendor": "Checkpoint"
},
"related": {
"hosts": [
"mycorp.com"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"description": "DLP rule match: PCI",
"id": "17682366990433"
},
"source": {
"address": "mycorp.com",
"domain": "mycorp.com",
"ip": "1.2.3.4",
"registered_domain": "mycorp.com",
"top_level_domain": "com",
"user": {
"email": "john.doe@mycorp.com",
"full_name": "John Doe",
"id": "00000000-0000-0000-0000-000000000000"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
checkpoint.harmony_email.confidence.indicator |
keyword |
|
checkpoint.harmony_email.confidence.level |
long |
|
checkpoint.harmony_email.saas_application |
keyword |
|
checkpoint.harmony_email.scan_details |
keyword |
|
checkpoint.harmony_email.verdict.ap |
keyword |
|
checkpoint.harmony_email.verdict.dlp |
keyword |
|
checkpoint.harmony_email.verdict.ms_defender |
keyword |
|
cloud.account.id |
keyword |
The cloud account or organization id. |
cloud.provider |
keyword |
Name of the cloud provider. |
cloud.region |
keyword |
Region in which this host, resource, or service is located. |
destination.user.email |
keyword |
User email address. |
destination.user.full_name |
keyword |
User's full name, if available. |
email.direction |
keyword |
Direction of the message. |
email.from.address |
keyword |
The sender's email address. |
email.local_id |
keyword |
Unique identifier given by the source. |
email.message_id |
wildcard |
Value from the Message-ID header. |
email.subject |
keyword |
The subject of the email message. |
email.to.address |
keyword |
Email address of recipient |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.provider |
keyword |
Source of the event. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.severity |
long |
Numeric severity of the event. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
observer.name |
keyword |
Custom name of the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
rule.description |
keyword |
Rule description |
rule.id |
keyword |
Rule ID |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
source.user.email |
keyword |
User email address. |
source.user.full_name |
keyword |
User's full name, if available. |
source.user.id |
keyword |
Unique identifier of the user. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.