KQL Search

Query Details

HomeAI ToolsDevice Query

Check Point Logs

Query

//Check Point logs

CommonSecurityLog
| extend DeviceProduct = iif(DeviceEventClassID has "geo_protection","Check Point Geo Protection",
iif(DeviceEventClassID has "Log","Check Point Firewall-1 Log","Check Point"))
| sort by TimeGenerated desc

Explanation

This query is retrieving Check Point logs from the CommonSecurityLog table. It is adding a new column called DeviceProduct, which is determined based on the DeviceEventClassID. If the DeviceEventClassID contains "geo_protection", the DeviceProduct will be "Check Point Geo Protection". If the DeviceEventClassID contains "Log", the DeviceProduct will be "Check Point Firewall-1 Log". Otherwise, the DeviceProduct will be "Check Point". The results are then sorted by the TimeGenerated column in descending order.

Details

Rod Trent profile picture

Rod Trent

Released: October 1, 2020

Tables

CommonSecurityLog

Keywords

CheckPoint,CommonSecurityLog,DeviceProduct,DeviceEventClassID,geo_protection,Log,TimeGenerated

Operators

extendiifhassort by

Actions