This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bob_Bent
Mod
Mod
‎2018-12-15 10:47 AM

Threat Prevention Log Field Documentation

In R80.20 the 100+ Threat Prevention field definitions for ALL of SandBlast products (mobile, endpoint, gateway) can be found at the bottom of sk134634: SmartView Cyber Attack View in the Field Documentation section. Pasting below for your convenience. In the first column is the Display name shown in the Check Point user interface like Tracker, SmartConsole or SmartView. In the second column is the Check Point field name found in a LEA or Log Exporter syslog feed. If you are a 3rd party who consumes these in another format such as CEF, LEEF or Splunk CIM, then Log Exporter will map the below to one of these formats using the mapping configuration in $EXPORTERDIR/targets.

UPDATE: a more complete list of Check Point log fields can be found in sk144192.

 

# pwd
/opt/CPrt-R80.20/log_exporter/targets/MySyslog

# grep mapping *
.....
targetConfiguration.xml:
targetConfiguration.xml:

https://community.checkpoint.com/docs/DOC-3371-log-exporter-cef-field-mappings 

 

Display Name CP Field Name Description Example
Action action Response to attack, defined by policy. prevent
Action Details action_details description of the malicious action found Comunicating with a Command and control server
Analyzed On analyzed_on Where the detected resource was analyzed. "Check Point Threat Emulation Cloud";
App Package app_package Unique identifier of a mobile application com.facebook.katana
Application Name appi_name Mobile application name downloaded into the protected device Free Music MP3 Player
Application Repackaged app_repackaged indicate the original app was repackage not by the official developer  
Application Signature ID app_sig_id Unique SHA identifier of a mobile app b6511332331bc8bc64e8bdb1cd915592b29f4606
Application Version app_version Mobile application version downloaded into the protected device 1.3
Attack Information attack_info description of the vulnerability in case of a host vulnerability or network vulnerability Linux EternalRed Samba Remote Code Execution
Attack Name attack name of the vulnerability category in case of a host vulnerability or network vulnerability Windows SMB Protection Violation
Attack status Attack status in case of a malicious event on an endpoint, the status of the attack Active
Attacker Phone Number attacker_phone_number in case of a malicious SMS, the phone number of the sender of the malicious link inside the SMS 15712244010
BCC bcc the Blind carbon address of the mail mail@checkpoint.com
Blade product Blade name. Anti-Bot
BSSID bssid the uniqe MAC address of the wifi network related to the wifi attack against a mobile device 98:FC:11:B9:24:12
Bytes(sent\received) aggregation of sent_bytes and received_bytes amount of bytes that was sent and received in the attack 24kb/118kb
CC cc the carbon address of the mail mail@checkpoint.com
Certificate Name certificate_name The Common Name identifies the host name associated with the certificate Piso-Nuevo
Client Name client_name Client application\blade detected the event Check Point Endpoint Security Client
Confidence Level confidence_level Detection confidence value based on Check Point Threat cloud Medium
Content Risk content_risk the risk of the extracted content from a document 4 - high
Dashboard Event ID dashboard_event_id Uniqe ID for the event in the cloud dashboard 1729
Dashboard Origin dashboard_orig Name of the Cloud mobile dashboard SBM Cloud management
Dashboard Time dashboard_time Cloud Mobile dashboard time in the time of the creation of the log 7th july 2018 22:27
Description description Additional information about detected attack OR the error related to the connection Check Point Online Web Service failure. See sk74040 for more information
Destination dst Attack destination IP address. 192.168.22.2
Determined By te_verdict_determined_by Which emulator determend that the file is malicious Win7 64b,Office 2010,Adobe 11: local cache. Win7,Office 2013,Adobe 11: local cache.
Developer Certificate Name developer_certificate_name Name of the developer certificate that was used to sign the mobile app iPhone Developer(6MZTQJDTZ)
Developer Certificate Sha developer_certificate_sha Certificate SHA of the developer certificate that was used to sign the mobile app Sha1
Device ID device_identification Mobile Uniqe ID 2739
Direction interfacedir Connection direction. 'inbound'; 'outbound'
Email Recipients Number email_recipients_num the number of recipient who recived the same mail 6
Email Subject email_subject the subject of the mail that was inspected by Check Point invoice #43662
Extension Version extension_version SandBlast agent browser extension build version. SandBlast Extention 990.45.6
Extracted File Hash Extracted_file_hash case of an archive file - the internal hash list of files 8e3951897bf8371e6010e3254b99e86d
Extracted File Names Extracted_file_names in case of an archive file - the internal file names malicious.js
Extracted File Types Extracted_file_types in case of an archive file -the internal file types js
Extracted File Verdict Extracted_file_verdict in case of an archive file - the internal files verdict malicious
File Direction file_direction in case of a malicious file that was found in Anti-Virus, the direction of the connection (download/upload) Incoming
File MD5 file_md5 Detected file MD5. 8e3951897bf8371e6010e3254b99e86d
File Name file_name Detected file name. Malicious.exe
File SHA1 file_sha1 Detected file Sha1. 4d48c297e2cd81b1ee786a71fc1a3def178619aa
File SHA256 file_sha256 Detected file Sha256. 110d6ae802d229a8105f3185525b5ce2cf9e151f2462bf407db6e832ccac56fa
File Size file_size Detected file size(bytes). 8.4KB
File Type+A23 file_type Detected file extension. wsf
First Detection first_detection First detection time of the infection 1th january 2018
Geographic Location calc_geo_location in case of a malicious activity on the mobile device, the location of the mobile device (LON / LAT) 32.0686513,34.7945463
Hardware Model hardware_model Mobile hardware model Samsung A900
Host Time host_time time based on the host local configuration 7th july 2018 22:27
Host Type host_type Type of the source endpoint machine Desktop
Impacted Files impacted_files In case of an infection on an endpoint, the list of files that the malware impacted. privatedoc.txt;image.png
Industry Reference industry_reference Related vulnerability documentation link to MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148
Installed Blades installed_products Submask of installed EP blades Anti-Ransomware, Anti-Exploit, Anti-Bot
Interface interfaceName The firewall interface that a connection traverses. eth1
Jailbreak Information jailbreak_message Device OS integrity state, True the OS is Jailbroken/Rooted 1
Last Detection last_detection Last detection time of the infection 2th january 2018
Malware Action malware_action Description of detected malware activity. 'DNS query for a site known to be malicious';
Malware Family malware_family malware name related to the malicious IOC Locky
MDM ID mdm_id Mobile Device ID on the MDM system 4718
Network Certificate network_certificate public key of the certificate that was used to do SSL interception example.com
Not Vulnerable OS emulated_on Emulators that didnt found the file malicious Win7 64b,Office 2010,Adobe 11
Origin orig Name of first GW My_GW
OS Name os_name Source endpoint OS name Windows 7 Professional N Edition
OS Version os_version Source endpoint OS build version. 6.1-7601-SP1.0-SMP
Packet Capture packet_capture link to the PCAP file recorded the malicious connection link to file
Parent Process MD5 parent_process_md5 Parent process md5 of attack trigger process. d41d8cd98f00b204e9800998ecf8427e
Parent Process Name parent_process_name Parent process name of attack trigger process. cmd.exe
Parent Process Username parent_process_username Parent process owner of attack trigger process. johna
Performance Impact performance_impact IPS Signature performance impact on the GW Medium
Phone Number phone_number the Phone number of the user that is using the mobile device 15712244010
Policy ` policy_date Latest pulled policy date. 1th january 2018
Policy Management policy_mgmt Management server name. My_MGMT_server
Policy Name policy_name Latest pulled policy name. Recommended_Perimmiter
Process MD5 process_md5 Attack trigger process md5. d41d8cd98f00b204e9800998ecf8427e
Process Name process_name Attack trigger process name. bot.exe
Process Username process_username Attack trigger process owner name. johna
Product Family product_family Blade family. Threat
Product Version client_version Build version of SandBlast agent client installed on the host. 80.85.7076
Protection Name protection_name Specific signature name of the attack. 'Exploited doc document'
Protection Type protection_type Type of the protection used to detect the attack. SMTP Emulation
Reason reason The reason for detecting or stopping the attack. Internal error occurred, could not connect to cws.checkpoint.com:80". Check proxy configuration on the gateway."
Recipient to Destination mail address. Recipient@example.com
Remediated Files remediated_files in case of an infection and a succesfull infection cleaning - list of remediated files in the host Malicious.exe, dropper.exe
Resource resource Malicious URL/Domain/DNS request www[.]maliciousdomain[.]xyz
Risk file_risk the risk rate in case of a suspicious contect that was found by Threat Extraction 4
Scope scope Protected scope defined in the rule. 192.168.1.3
Sender from Source mail address. sender@example.com
Service service_name Protocol and destination port. http [tcp/80]
Severity severity Incident severity level based on Check Point Threat cloud High
Source src Attack source IP address. 91.2.22.28
Source IP-phone src_phone_number the source phone number of the event related to the mobile device 15712244010
Source Port s_port source port of the connection 35125
SSID ssid the name of the wifi network in case of a suspicious/malicious event that was found in sandblast mobile Airport_Free_Wifi
Subject subject the subject of the mail that was inspected by Check Point invoice #43662
Suppressed logs Suppressed_logs aggregation of the connections (in 5 minutes) that are from the same source, resource and port 72
Suspicious Content scrubbed_content   Embedded Objects
System App system_app Indicate that the app detected is installed on the device ROM  
Threat Extraction Activity scrub_activity description of the risky active contect found and cleaned Active content was found - DOCX file was converted to PDF
Threat Profile smartdefense_profile IPS profile if managed cepertly than other threat prevention blades Recommended_IPS_internal
Time time A time-stamp, which reflects the time of log creation 7th july 2018 22:27
Total Attachments total_attachments the amout of attachment in a mail 3
Triggered By triggered_by the name of the mechanism that triggered the blade to enforce a protection SandBlast Anti-Ransomware
Trusted Domain trusted_domain in case of phishing event - the domain that the attacker was Impersonating to www.checkpoint.com
Type type Log type. log
Vendor List vendor_list the vendor name that gave the verdict of a malicious URL Check Point ThreatCloud
Verdict verdict Verdict of the malicious activity/File Malicious
Vulnerable OS detected_on Vulnerable OS. Win7 Office 2013 Adobe 11 WinXP Office 2003/7 Adobe 9
Labels
0 Replies