Ingest logs from Check Point firewalls - To take advantage of Cortex Cloud investigation and detection capabilities while using Check Point firewalls, forward your firewall logs to Cortex Cloud. - Administrator Guide - Cortex CLOUD

If you use Check Point FW1/VPN1 firewalls, you can still take advantage of Cortex Cloud investigation and detection capabilities by forwarding your Check Point firewall logs to Cortex Cloud. Check Point firewall logs can be used as the sole data source, however, you can also use Check Point firewall logs in conjunction with Palo Alto Networks firewall logs and additional data sources.

Cortex Cloud can stitch data from Check Point firewalls with other logs to make up network stories searchable in the Query Builder and in Cortex Query Language (XQL) queries. Cortex Cloud can also return raw data from Check Point firewalls in XQL queries.

In terms of alerts, Cortex Cloud can both surface native Check Point firewall alerts and generate its own issues on network activity. Issues are displayed throughout Cortex Cloud issue, case, and investigation views.

To integrate your logs, you first need to set up an applet in a Broker VM within your network to act as a Syslog Collector. You then configure your Check Point firewall policy to log all traffic and set up the Log Exporter on your Check Point Log Server to forward logs to the Syslog Collector in a CEF format.

When Cortex Cloud starts to receive logs, the app can begin stitching network connection logs with other logs to form network stories. Cortex Cloud can also analyze your logs to generate Analytics issues, and can apply IOC, BIOC, and Correlation Rule matching. You can also use queries to search your network connection logs.