| Display Name |
CP Field Name |
Description |
Example |
| Action |
action |
Response to attack, defined by policy. |
prevent |
| Action Details |
action_details |
description of the malicious action found |
Comunicating with a Command and control server |
| Analyzed On |
analyzed_on |
Where the detected resource was analyzed. |
"Check Point Threat Emulation Cloud"; |
| App Package |
app_package |
Unique identifier of a mobile application |
com.facebook.katana |
| Application Name |
appi_name |
Mobile application name downloaded into the protected device |
Free Music MP3 Player |
| Application Repackaged |
app_repackaged |
indicate the original app was repackage not by the official developer |
|
| Application Signature ID |
app_sig_id |
Unique SHA identifier of a mobile app |
b6511332331bc8bc64e8bdb1cd915592b29f4606 |
| Application Version |
app_version |
Mobile application version downloaded into the protected device |
1.3 |
| Attack Information |
attack_info |
description of the vulnerability in case of a host vulnerability or network vulnerability |
Linux EternalRed Samba Remote Code Execution |
| Attack Name |
attack |
name of the vulnerability category in case of a host vulnerability or network vulnerability |
Windows SMB Protection Violation |
| Attack status |
Attack status |
in case of a malicious event on an endpoint, the status of the attack |
Active |
| Attacker Phone Number |
attacker_phone_number |
in case of a malicious SMS, the phone number of the sender of the malicious link inside the SMS |
15712244010 |
| BCC |
bcc |
the Blind carbon address of the mail |
mail@checkpoint.com |
| Blade |
product |
Blade name. |
Anti-Bot |
| BSSID |
bssid |
the uniqe MAC address of the wifi network related to the wifi attack against a mobile device |
98:FC:11:B9:24:12 |
| Bytes(sent\received) |
aggregation of sent_bytes and received_bytes |
amount of bytes that was sent and received in the attack |
24kb/118kb |
| CC |
cc |
the carbon address of the mail |
mail@checkpoint.com |
| Certificate Name |
certificate_name |
The Common Name identifies the host name associated with the certificate |
Piso-Nuevo |
| Client Name |
client_name |
Client application\blade detected the event |
Check Point Endpoint Security Client |
| Confidence Level |
confidence_level |
Detection confidence value based on Check Point Threat cloud |
Medium |
| Content Risk |
content_risk |
the risk of the extracted content from a document |
4 - high |
| Dashboard Event ID |
dashboard_event_id |
Uniqe ID for the event in the cloud dashboard |
1729 |
| Dashboard Origin |
dashboard_orig |
Name of the Cloud mobile dashboard |
SBM Cloud management |
| Dashboard Time |
dashboard_time |
Cloud Mobile dashboard time in the time of the creation of the log |
7th july 2018 22:27 |
| Description |
description |
Additional information about detected attack OR the error related to the connection |
Check Point Online Web Service failure. See sk74040 for more information |
| Destination |
dst |
Attack destination IP address. |
192.168.22.2 |
| Determined By |
te_verdict_determined_by |
Which emulator determend that the file is malicious |
Win7 64b,Office 2010,Adobe 11: local cache. Win7,Office 2013,Adobe 11: local cache. |
| Developer Certificate Name |
developer_certificate_name |
Name of the developer certificate that was used to sign the mobile app |
iPhone Developer(6MZTQJDTZ) |
| Developer Certificate Sha |
developer_certificate_sha |
Certificate SHA of the developer certificate that was used to sign the mobile app |
Sha1 |
| Device ID |
device_identification |
Mobile Uniqe ID |
2739 |
| Direction |
interfacedir |
Connection direction. |
'inbound'; 'outbound' |
| Email Recipients Number |
email_recipients_num |
the number of recipient who recived the same mail |
6 |
| Email Subject |
email_subject |
the subject of the mail that was inspected by Check Point |
invoice #43662 |
| Extension Version |
extension_version |
SandBlast agent browser extension build version. |
SandBlast Extention 990.45.6 |
| Extracted File Hash |
Extracted_file_hash |
case of an archive file - the internal hash list of files |
8e3951897bf8371e6010e3254b99e86d |
| Extracted File Names |
Extracted_file_names |
in case of an archive file - the internal file names |
malicious.js |
| Extracted File Types |
Extracted_file_types |
in case of an archive file -the internal file types |
js |
| Extracted File Verdict |
Extracted_file_verdict |
in case of an archive file - the internal files verdict |
malicious |
| File Direction |
file_direction |
in case of a malicious file that was found in Anti-Virus, the direction of the connection (download/upload) |
Incoming |
| File MD5 |
file_md5 |
Detected file MD5. |
8e3951897bf8371e6010e3254b99e86d |
| File Name |
file_name |
Detected file name. |
Malicious.exe |
| File SHA1 |
file_sha1 |
Detected file Sha1. |
4d48c297e2cd81b1ee786a71fc1a3def178619aa |
| File SHA256 |
file_sha256 |
Detected file Sha256. |
110d6ae802d229a8105f3185525b5ce2cf9e151f2462bf407db6e832ccac56fa |
| File Size |
file_size |
Detected file size(bytes). |
8.4KB |
| File Type+A23 |
file_type |
Detected file extension. |
wsf |
| First Detection |
first_detection |
First detection time of the infection |
1th january 2018 |
| Geographic Location |
calc_geo_location |
in case of a malicious activity on the mobile device, the location of the mobile device (LON / LAT) |
32.0686513,34.7945463 |
| Hardware Model |
hardware_model |
Mobile hardware model |
Samsung A900 |
| Host Time |
host_time |
time based on the host local configuration |
7th july 2018 22:27 |
| Host Type |
host_type |
Type of the source endpoint machine |
Desktop |
| Impacted Files |
impacted_files |
In case of an infection on an endpoint, the list of files that the malware impacted. |
privatedoc.txt;image.png |
| Industry Reference |
industry_reference |
Related vulnerability documentation link to MITRE |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148 |
| Installed Blades |
installed_products |
Submask of installed EP blades |
Anti-Ransomware, Anti-Exploit, Anti-Bot |
| Interface |
interfaceName |
The firewall interface that a connection traverses. |
eth1 |
| Jailbreak Information |
jailbreak_message |
Device OS integrity state, True the OS is Jailbroken/Rooted |
1 |
| Last Detection |
last_detection |
Last detection time of the infection |
2th january 2018 |
| Malware Action |
malware_action |
Description of detected malware activity. |
'DNS query for a site known to be malicious'; |
| Malware Family |
malware_family |
malware name related to the malicious IOC |
Locky |
| MDM ID |
mdm_id |
Mobile Device ID on the MDM system |
4718 |
| Network Certificate |
network_certificate |
public key of the certificate that was used to do SSL interception |
example.com |
| Not Vulnerable OS |
emulated_on |
Emulators that didnt found the file malicious |
Win7 64b,Office 2010,Adobe 11 |
| Origin |
orig |
Name of first GW |
My_GW |
| OS Name |
os_name |
Source endpoint OS name |
Windows 7 Professional N Edition |
| OS Version |
os_version |
Source endpoint OS build version. |
6.1-7601-SP1.0-SMP |
| Packet Capture |
packet_capture |
link to the PCAP file recorded the malicious connection |
link to file |
| Parent Process MD5 |
parent_process_md5 |
Parent process md5 of attack trigger process. |
d41d8cd98f00b204e9800998ecf8427e |
| Parent Process Name |
parent_process_name |
Parent process name of attack trigger process. |
cmd.exe |
| Parent Process Username |
parent_process_username |
Parent process owner of attack trigger process. |
johna |
| Performance Impact |
performance_impact |
IPS Signature performance impact on the GW |
Medium |
| Phone Number |
phone_number |
the Phone number of the user that is using the mobile device |
15712244010 |
| Policy ` |
policy_date |
Latest pulled policy date. |
1th january 2018 |
| Policy Management |
policy_mgmt |
Management server name. |
My_MGMT_server |
| Policy Name |
policy_name |
Latest pulled policy name. |
Recommended_Perimmiter |
| Process MD5 |
process_md5 |
Attack trigger process md5. |
d41d8cd98f00b204e9800998ecf8427e |
| Process Name |
process_name |
Attack trigger process name. |
bot.exe |
| Process Username |
process_username |
Attack trigger process owner name. |
johna |
| Product Family |
product_family |
Blade family. |
Threat |
| Product Version |
client_version |
Build version of SandBlast agent client installed on the host. |
80.85.7076 |
| Protection Name |
protection_name |
Specific signature name of the attack. |
'Exploited doc document' |
| Protection Type |
protection_type |
Type of the protection used to detect the attack. |
SMTP Emulation |
| Reason |
reason |
The reason for detecting or stopping the attack. |
Internal error occurred, could not connect to cws.checkpoint.com:80". Check proxy configuration on the gateway." |
| Recipient |
to |
Destination mail address. |
Recipient@example.com |
| Remediated Files |
remediated_files |
in case of an infection and a succesfull infection cleaning - list of remediated files in the host |
Malicious.exe, dropper.exe |
| Resource |
resource |
Malicious URL/Domain/DNS request |
www[.]maliciousdomain[.]xyz |
| Risk |
file_risk |
the risk rate in case of a suspicious contect that was found by Threat Extraction |
4 |
| Scope |
scope |
Protected scope defined in the rule. |
192.168.1.3 |
| Sender |
from |
Source mail address. |
sender@example.com |
| Service |
service_name |
Protocol and destination port. |
http [tcp/80] |
| Severity |
severity |
Incident severity level based on Check Point Threat cloud |
High |
| Source |
src |
Attack source IP address. |
91.2.22.28 |
| Source IP-phone |
src_phone_number |
the source phone number of the event related to the mobile device |
15712244010 |
| Source Port |
s_port |
source port of the connection |
35125 |
| SSID |
ssid |
the name of the wifi network in case of a suspicious/malicious event that was found in sandblast mobile |
Airport_Free_Wifi |
| Subject |
subject |
the subject of the mail that was inspected by Check Point |
invoice #43662 |
| Suppressed logs |
Suppressed_logs |
aggregation of the connections (in 5 minutes) that are from the same source, resource and port |
72 |
| Suspicious Content |
scrubbed_content |
|
Embedded Objects |
| System App |
system_app |
Indicate that the app detected is installed on the device ROM |
|
| Threat Extraction Activity |
scrub_activity |
description of the risky active contect found and cleaned |
Active content was found - DOCX file was converted to PDF |
| Threat Profile |
smartdefense_profile |
IPS profile if managed cepertly than other threat prevention blades |
Recommended_IPS_internal |
| Time |
time |
A time-stamp, which reflects the time of log creation |
7th july 2018 22:27 |
| Total Attachments |
total_attachments |
the amout of attachment in a mail |
3 |
| Triggered By |
triggered_by |
the name of the mechanism that triggered the blade to enforce a protection |
SandBlast Anti-Ransomware |
| Trusted Domain |
trusted_domain |
in case of phishing event - the domain that the attacker was Impersonating to |
www.checkpoint.com |
| Type |
type |
Log type. |
log |
| Vendor List |
vendor_list |
the vendor name that gave the verdict of a malicious URL |
Check Point ThreatCloud |
| Verdict |
verdict |
Verdict of the malicious activity/File |
Malicious |
| Vulnerable OS |
detected_on |
Vulnerable OS. |
Win7 Office 2013 Adobe 11 WinXP Office 2003/7 Adobe 9 |
