Showing results for 
Search instead for 
Did you mean: 
Post a Question

Threat Prevention Log Field Documentation

In R80.20 the 100+ Threat Prevention field definitions for ALL of SandBlast products (mobile, endpoint, gateway) can be found at the bottom of sk134634: SmartView Cyber Attack View in the Field Documentation section. Pasting below for your convenience. In the first column is the Display name shown in the Check Point user interface like Tracker, SmartConsole or SmartView. In the second column is the Check Point field name found in a LEA or Log Exporter syslog feed. If you are a 3rd party who consumes these in another format such as CEF, LEEF or Splunk CIM, then Log Exporter will map the below to one of these formats using the mapping configuration in $EXPORTERDIR/targets.

# pwd

# grep mapping *
targetConfiguration.xml: <!-- Format section determines the form (headers and mappings) of the exported logs -->
targetConfiguration.xml: <mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->


Display NameCP Field NameDescriptionExample
ActionactionResponse to attack, defined by policy.prevent
Action Detailsaction_detailsdescription of the malicious action foundComunicating with a Command and control server
Analyzed Onanalyzed_onWhere the detected resource was analyzed."Check Point Threat Emulation Cloud";
App Packageapp_packageUnique identifier of a mobile applicationcom.facebook.katana
Application Nameappi_nameMobile application name downloaded into the protected deviceFree Music MP3 Player
Application Repackagedapp_repackagedindicate the original app was repackage not by the official developer 
Application Signature IDapp_sig_idUnique SHA identifier of a mobile appb6511332331bc8bc64e8bdb1cd915592b29f4606
Application Versionapp_versionMobile application version downloaded into the protected device1.3
Attack Informationattack_infodescription of the vulnerability in case of a host vulnerability or network vulnerabilityLinux EternalRed Samba Remote Code Execution
Attack Nameattackname of the vulnerability category in case of a host vulnerability or network vulnerabilityWindows SMB Protection Violation
Attack statusAttack statusin case of a malicious event on an endpoint, the status of the attackActive
Attacker Phone Numberattacker_phone_numberin case of a malicious SMS, the phone number of the sender of the malicious link inside the SMS15712244010
BCCbccthe Blind carbon address of the
BladeproductBlade name.Anti-Bot
BSSIDbssidthe uniqe MAC address of the wifi network related to the wifi attack against a mobile device98:FC:11:B9:24:12
Bytes(sent\received)aggregation of sent_bytes and received_bytesamount of bytes that was sent and received in the attack24kb/118kb
CCccthe carbon address of the
Certificate Namecertificate_nameThe Common Name identifies the host name associated with the certificatePiso-Nuevo
Client Nameclient_nameClient application\blade detected the eventCheck Point Endpoint Security Client
Confidence Levelconfidence_levelDetection confidence value based on Check Point Threat cloudMedium
Content Riskcontent_riskthe risk of the extracted content from a document4 - high
Dashboard Event IDdashboard_event_idUniqe ID for the event in the cloud dashboard1729
Dashboard Origindashboard_origName of the Cloud mobile dashboardSBM Cloud management
Dashboard Timedashboard_timeCloud Mobile dashboard time in the time of the creation of the log7th july 2018 22:27
DescriptiondescriptionAdditional information about detected attack OR the error related to the connectionCheck Point Online Web Service failure. See sk74040 for more information
DestinationdstAttack destination IP address.
Determined Byte_verdict_determined_byWhich emulator determend that the file is maliciousWin7 64b,Office 2010,Adobe 11: local cache. Win7,Office 2013,Adobe 11: local cache.
Developer Certificate Namedeveloper_certificate_nameName of the developer certificate that was used to sign the mobile appiPhone Developer(6MZTQJDTZ)
Developer Certificate Shadeveloper_certificate_shaCertificate SHA of the developer certificate that was used to sign the mobile appSha1
Device IDdevice_identificationMobile Uniqe ID2739
DirectioninterfacedirConnection direction.'inbound'; 'outbound'
Email Recipients Numberemail_recipients_numthe number of recipient who recived the same mail6
Email Subjectemail_subjectthe subject of the mail that was inspected by Check Pointinvoice #43662
Extension Versionextension_versionSandBlast agent browser extension build version.SandBlast Extention 990.45.6
Extracted File HashExtracted_file_hashcase of an archive file - the internal hash list of files8e3951897bf8371e6010e3254b99e86d
Extracted File NamesExtracted_file_namesin case of an archive file - the internal file namesmalicious.js
Extracted File TypesExtracted_file_typesin case of an archive file -the internal file typesjs
Extracted File VerdictExtracted_file_verdictin case of an archive file - the internal files verdictmalicious
File Directionfile_directionin case of a malicious file that was found in Anti-Virus, the direction of the connection (download/upload)Incoming
File MD5file_md5Detected file MD5.8e3951897bf8371e6010e3254b99e86d
File Namefile_nameDetected file name.Malicious.exe
File SHA1file_sha1Detected file Sha1.4d48c297e2cd81b1ee786a71fc1a3def178619aa
File SHA256file_sha256Detected file Sha256.110d6ae802d229a8105f3185525b5ce2cf9e151f2462bf407db6e832ccac56fa
File Sizefile_sizeDetected file size(bytes).8.4KB
File Type+A23file_typeDetected file extension.wsf
First Detectionfirst_detectionFirst detection time of the infection1th january 2018
Geographic Locationcalc_geo_locationin case of a malicious activity on the mobile device, the location of the mobile device (LON / LAT)32.0686513,34.7945463
Hardware Modelhardware_modelMobile hardware modelSamsung A900
Host Timehost_timetime based on the host local configuration7th july 2018 22:27
Host Typehost_typeType of the source endpoint machineDesktop
Impacted Filesimpacted_filesIn case of an infection on an endpoint, the list of files that the malware impacted.privatedoc.txt;image.png
Industry Referenceindustry_referenceRelated vulnerability documentation link to MITRE
Installed Bladesinstalled_productsSubmask of installed EP bladesAnti-Ransomware, Anti-Exploit, Anti-Bot
InterfaceinterfaceNameThe firewall interface that a connection traverses.eth1
Jailbreak Informationjailbreak_messageDevice OS integrity state, True the OS is Jailbroken/Rooted1
Last Detectionlast_detectionLast detection time of the infection2th january 2018
Malware Actionmalware_actionDescription of detected malware activity.'DNS query for a site known to be malicious';
Malware Familymalware_familymalware name related to the malicious IOCLocky
MDM IDmdm_idMobile Device ID on the MDM system4718
Network Certificatenetwork_certificatepublic key of the certificate that was used to do SSL
Not Vulnerable OSemulated_onEmulators that didnt found the file maliciousWin7 64b,Office 2010,Adobe 11
OriginorigName of first GWMy_GW
OS Nameos_nameSource endpoint OS nameWindows 7 Professional N Edition
OS Versionos_versionSource endpoint OS build version.6.1-7601-SP1.0-SMP
Packet Capturepacket_capturelink to the PCAP file recorded the malicious connectionlink to file
Parent Process MD5parent_process_md5Parent process md5 of attack trigger process.d41d8cd98f00b204e9800998ecf8427e
Parent Process Nameparent_process_nameParent process name of attack trigger process.cmd.exe
Parent Process Usernameparent_process_usernameParent process owner of attack trigger process.johna
Performance Impactperformance_impactIPS Signature performance impact on the GWMedium
Phone Numberphone_numberthe Phone number of the user that is using the mobile device15712244010
Policy `policy_dateLatest pulled policy date.1th january 2018
Policy Managementpolicy_mgmtManagement server name.My_MGMT_server
Policy Namepolicy_nameLatest pulled policy name.Recommended_Perimmiter
Process MD5process_md5Attack trigger process md5.d41d8cd98f00b204e9800998ecf8427e
Process Nameprocess_nameAttack trigger process
Process Usernameprocess_usernameAttack trigger process owner name.johna
Product Familyproduct_familyBlade family.Threat
Product Versionclient_versionBuild version of SandBlast agent client installed on the host.80.85.7076
Protection Nameprotection_nameSpecific signature name of the attack.'Exploited doc document'
Protection Typeprotection_typeType of the protection used to detect the attack.SMTP Emulation
ReasonreasonThe reason for detecting or stopping the attack.Internal error occurred, could not connect to". Check proxy configuration on the gateway."
RecipienttoDestination mail
Remediated Filesremediated_filesin case of an infection and a succesfull infection cleaning - list of remediated files in the hostMalicious.exe, dropper.exe
ResourceresourceMalicious URL/Domain/DNS requestwww[.]maliciousdomain[.]xyz
Riskfile_riskthe risk rate in case of a suspicious contect that was found by Threat Extraction4
ScopescopeProtected scope defined in the rule.
SenderfromSource mail
Serviceservice_nameProtocol and destination port.http [tcp/80]
SeverityseverityIncident severity level based on Check Point Threat cloudHigh
SourcesrcAttack source IP address.
Source IP-phonesrc_phone_numberthe source phone number of the event related to the mobile device15712244010
Source Ports_portsource port of the connection35125
SSIDssidthe name of the wifi network in case of a suspicious/malicious event that was found in sandblast mobileAirport_Free_Wifi
Subjectsubjectthe subject of the mail that was inspected by Check Pointinvoice #43662
Suppressed logsSuppressed_logsaggregation of the connections (in 5 minutes) that are from the same source, resource and port72
Suspicious Contentscrubbed_content Embedded Objects
System Appsystem_appIndicate that the app detected is installed on the device ROM 
Threat Extraction Activityscrub_activitydescription of the risky active contect found and cleanedActive content was found - DOCX file was converted to PDF
Threat Profilesmartdefense_profileIPS profile if managed cepertly than other threat prevention bladesRecommended_IPS_internal
TimetimeA time-stamp, which reflects the time of log creation7th july 2018 22:27
Total Attachmentstotal_attachmentsthe amout of attachment in a mail3
Triggered Bytriggered_bythe name of the mechanism that triggered the blade to enforce a protectionSandBlast Anti-Ransomware
Trusted Domaintrusted_domainin case of phishing event - the domain that the attacker was Impersonating
TypetypeLog type.log
Vendor Listvendor_listthe vendor name that gave the verdict of a malicious URLCheck Point ThreatCloud
VerdictverdictVerdict of the malicious activity/FileMalicious
Vulnerable OSdetected_onVulnerable OS.Win7 Office 2013 Adobe 11 WinXP Office 2003/7 Adobe 9
Labels (2)