From 404046be2c251bcbac92e034e4b13dd11523e2dc Mon Sep 17 00:00:00 2001
From: Lars <126493657+ash-darin@users.noreply.github.com>
Date: Fri, 24 Oct 2025 11:18:32 +0200
Subject: [PATCH 1/6] Update default.yml

---
 .../firewall/elasticsearch/ingest_pipeline/default.yml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
index ebe3a4d4028..c6fa89a0d92 100644
--- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
@@ -32,7 +32,7 @@ processors:
   - kv:
       tag: "kv_syslog_structured_semicolon_colon"
       field: syslog5424_sd
-      field_split: '(?<="); '
+      field_split: '(?<!\\")(?<="); (?=\w)'
       value_split: '(?i)(?<=[0-9a-z]):{1,2}(?=")'
       trim_key: " "
       trim_value: " "

From d53849f6ef8e0fade3aa348c3befea94dccd8ce6 Mon Sep 17 00:00:00 2001
From: Lars <126493657+ash-darin@users.noreply.github.com>
Date: Fri, 24 Oct 2025 11:21:20 +0200
Subject: [PATCH 2/6] add manifest description

---
 packages/checkpoint/changelog.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml
index c9071cb5799..f17fcdf507d 100644
--- a/packages/checkpoint/changelog.yml
+++ b/packages/checkpoint/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.41.3"
+  changes:
+    - description: Update KV split logic to take email headers into account.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15673
 - version: "1.41.2"
   changes:
     - description: Update update_count, connection_count, aggregated_log_count types from integer to long.

From e487fe28a12bf84fe55248ed29aecf203264f97d Mon Sep 17 00:00:00 2001
From: Lars <126493657+ash-darin@users.noreply.github.com>
Date: Fri, 24 Oct 2025 11:24:48 +0200
Subject: [PATCH 3/6] Add PR Link

---
 packages/checkpoint/changelog.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml
index f17fcdf507d..a2475f41fb2 100644
--- a/packages/checkpoint/changelog.yml
+++ b/packages/checkpoint/changelog.yml
@@ -3,7 +3,7 @@
   changes:
     - description: Update KV split logic to take email headers into account.
       type: enhancement
-      link: https://github.com/elastic/integrations/pull/15673
+      link: https://github.com/elastic/integrations/pull/15745
 - version: "1.41.2"
   changes:
     - description: Update update_count, connection_count, aggregated_log_count types from integer to long.

From 753b537e7bebaa0ca5ea3a274d7e78f77ddf81ba Mon Sep 17 00:00:00 2001
From: Lars <126493657+ash-darin@users.noreply.github.com>
Date: Tue, 18 Nov 2025 14:40:07 +0100
Subject: [PATCH 4/6] Update test-checkpoint.log

Add a simplified test case
---
 .../_dev/deploy/docker/sample_logs/test-checkpoint.log           | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log
index e659322e65b..e4cea2fc1aa 100644
--- a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log
+++ b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log
@@ -19,3 +19,4 @@
 <134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"]
 <134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"]
 <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
+<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1759720844"; version:"5"; arrival_time:"1759720844"; attachments_num:"1"; delivery_time:"1759720852"; dst:"192.168.1.100"; email_content:"Attachments"; email_headers:"X-IronPort-AV: E=Sophos;i=\"4.20,319,1751234400\";   d=\"png'150?scan'150,208,217,150\";a=\"13313487\" ";  email_queue_id:"abcdefghijklm"; email_queue_name:"N/A"; lastupdatetime:"1759720852"; links_num:"0"; original_queue_id:"lmnopqrstuvw"; product:"MTA"; s_port:"12345"; scan_ended:"1759720844"; scan_started:"1759720844"; service:"25"; src:"192.168.2.100"; status_update:"1759720852"]

From 4593db9e3d3376d5581ddf677c17e2ae6c8bc2ab Mon Sep 17 00:00:00 2001
From: Lars <126493657+ash-darin@users.noreply.github.com>
Date: Tue, 18 Nov 2025 14:42:15 +0100
Subject: [PATCH 5/6] Update test-checkpoint.log

removed a space that crept in at the wrong location
---
 .../_dev/deploy/docker/sample_logs/test-checkpoint.log          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log
index e4cea2fc1aa..427f8510f92 100644
--- a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log
+++ b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log
@@ -19,4 +19,4 @@
 <134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"]
 <134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"]
 <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1759720844"; version:"5"; arrival_time:"1759720844"; attachments_num:"1"; delivery_time:"1759720852"; dst:"192.168.1.100"; email_content:"Attachments"; email_headers:"X-IronPort-AV: E=Sophos;i=\"4.20,319,1751234400\";   d=\"png'150?scan'150,208,217,150\";a=\"13313487\" ";  email_queue_id:"abcdefghijklm"; email_queue_name:"N/A"; lastupdatetime:"1759720852"; links_num:"0"; original_queue_id:"lmnopqrstuvw"; product:"MTA"; s_port:"12345"; scan_ended:"1759720844"; scan_started:"1759720844"; service:"25"; src:"192.168.2.100"; status_update:"1759720852"]
+<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1759720844"; version:"5"; arrival_time:"1759720844"; attachments_num:"1"; delivery_time:"1759720852"; dst:"192.168.1.100"; email_content:"Attachments"; email_headers:"X-IronPort-AV: E=Sophos;i=\"4.20,319,1751234400\";   d=\"png'150?scan'150,208,217,150\";a=\"13313487\" "; email_queue_id:"abcdefghijklm"; email_queue_name:"N/A"; lastupdatetime:"1759720852"; links_num:"0"; original_queue_id:"lmnopqrstuvw"; product:"MTA"; s_port:"12345"; scan_ended:"1759720844"; scan_started:"1759720844"; service:"25"; src:"192.168.2.100"; status_update:"1759720852"]

From 6ca193b4012e042b5c2a21b3249c5210d401f464 Mon Sep 17 00:00:00 2001
From: Lars <126493657+ash-darin@users.noreply.github.com>
Date: Tue, 18 Nov 2025 14:47:22 +0100
Subject: [PATCH 6/6] Update test-checkpoint.log

added nother header case
---
 .../_dev/deploy/docker/sample_logs/test-checkpoint.log          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log
index 427f8510f92..e926cdbf7b0 100644
--- a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log
+++ b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log
@@ -19,4 +19,4 @@
 <134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"]
 <134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"]
 <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1759720844"; version:"5"; arrival_time:"1759720844"; attachments_num:"1"; delivery_time:"1759720852"; dst:"192.168.1.100"; email_content:"Attachments"; email_headers:"X-IronPort-AV: E=Sophos;i=\"4.20,319,1751234400\";   d=\"png'150?scan'150,208,217,150\";a=\"13313487\" "; email_queue_id:"abcdefghijklm"; email_queue_name:"N/A"; lastupdatetime:"1759720852"; links_num:"0"; original_queue_id:"lmnopqrstuvw"; product:"MTA"; s_port:"12345"; scan_ended:"1759720844"; scan_started:"1759720844"; service:"25"; src:"192.168.2.100"; status_update:"1759720852"]
+<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1759720844"; version:"5"; arrival_time:"1759720844"; attachments_num:"1"; delivery_time:"1759720852"; dst:"192.168.1.100"; email_content:"Attachments"; email_headers:"X-IronPort-AV: E=Sophos;i=\"4.20,319,1751234400\";   d=\"png'150?scan'150,208,217,150\";a=\"13313487\" X-IronPort-AV: E=McAfee;i=\"6800,10657,11573\"; a=\"290145815\" "; email_queue_id:"abcdefghijklm"; email_queue_name:"N/A"; lastupdatetime:"1759720852"; links_num:"0"; original_queue_id:"lmnopqrstuvw"; product:"MTA"; s_port:"12345"; scan_ended:"1759720844"; scan_started:"1759720844"; service:"25"; src:"192.168.2.100"; status_update:"1759720852"]