Detect Checkpoint FW action changes - Splunk Community

All Apps and Add-ons

Hello,

I'm trying to detect action changes (src/dst/action switching from drop to accept). Checkpoint FW addon is installed.

I thought about this query but it's way too long :

index=xxx action=drop earliest=-7d@d latest=@d sourcetype=opsec | eval src_drop=src | eval dst_drop=dst| eval service_drop=service | dedup src,dst,service | table src,dst,service,action | join src,dst,service [search index=xxx sourcetype=opsec action=accept earliest=@d latest=now | eval src_acc=src | eval dst_acc=dst | eval service_acc=service | eval acc_time=strftime(_time,"%y/%m/%d %H:%M") | dedup src,dst,service | table src,dst,service,action] | where src_drop=src_acc AND dst_drop=dst_acc AND service_drop=service_acc | table src,dst,service,action

Thanks.

* If this helps, please upvote or accept solution if it solved *

How about a query from the audit log?

index=xxx product=SmartDashboard sourcetype=opsec_audit Operation="Modify Object"

Yes I thought about it but it won't give me src/dst/service table but thanks anyway.

* If this helps, please upvote or accept solution if it solved *

How about something from the audit log? index=xxx product=SmartDashboard sourcetype=opsec_audit Operation="Modify Object"

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Thursday, June 25, 2026 | 11AM PDT / 2PM EDT Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...