The Checkpoint App produced, published and supported by the vendor (https://splunkbase.splunk.com/app/4293/) breaks CIM compatibility for the action field. Recommend opening issue with Checkpoint and have them reference the lookup performed on the action field done by the legacy app Check Point Splunk CIM TA (https://splunkbase.splunk.com/app/4629/) which correctly handles the action field to make it CIM compliant. Net result is that some checkpoint events processed by the vendor will not be found when searching for the 4 allowed values of "allowed, blocked, dropped,unknown”.
... View more