- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
In R80.20 the 100+ Threat Prevention field definitions for ALL of SandBlast products (mobile, endpoint, gateway) can be found at the bottom of sk134634: SmartView Cyber Attack View in the Field Documentation section. Pasting below for your convenience. In the first column is the Display name shown in the Check Point user interface like Tracker, SmartConsole or SmartView. In the second column is the Check Point field name found in a LEA or Log Exporter syslog feed. If you are a 3rd party who consumes these in another format such as CEF, LEEF or Splunk CIM, then Log Exporter will map the below to one of these formats using the mapping configuration in $EXPORTERDIR/targets.
UPDATE: a more complete list of Check Point log fields can be found in sk144192.
# pwd
/opt/CPrt-R80.20/log_exporter/targets/MySyslog# grep mapping *
.....
targetConfiguration.xml:
targetConfiguration.xml:
https://community.checkpoint.com/docs/DOC-3371-log-exporter-cef-field-mappings
Display Name | CP Field Name | Description | Example |
Action | action | Response to attack, defined by policy. | prevent |
Action Details | action_details | description of the malicious action found | Comunicating with a Command and control server |
Analyzed On | analyzed_on | Where the detected resource was analyzed. | "Check Point Threat Emulation Cloud"; |
App Package | app_package | Unique identifier of a mobile application | com.facebook.katana |
Application Name | appi_name | Mobile application name downloaded into the protected device | Free Music MP3 Player |
Application Repackaged | app_repackaged | indicate the original app was repackage not by the official developer | |
Application Signature ID | app_sig_id | Unique SHA identifier of a mobile app | b6511332331bc8bc64e8bdb1cd915592b29f4606 |
Application Version | app_version | Mobile application version downloaded into the protected device | 1.3 |
Attack Information | attack_info | description of the vulnerability in case of a host vulnerability or network vulnerability | Linux EternalRed Samba Remote Code Execution |
Attack Name | attack | name of the vulnerability category in case of a host vulnerability or network vulnerability | Windows SMB Protection Violation |
Attack status | Attack status | in case of a malicious event on an endpoint, the status of the attack | Active |
Attacker Phone Number | attacker_phone_number | in case of a malicious SMS, the phone number of the sender of the malicious link inside the SMS | 15712244010 |
BCC | bcc | the Blind carbon address of the mail | mail@checkpoint.com |
Blade | product | Blade name. | Anti-Bot |
BSSID | bssid | the uniqe MAC address of the wifi network related to the wifi attack against a mobile device | 98:FC:11:B9:24:12 |
Bytes(sent\received) | aggregation of sent_bytes and received_bytes | amount of bytes that was sent and received in the attack | 24kb/118kb |
CC | cc | the carbon address of the mail | mail@checkpoint.com |
Certificate Name | certificate_name | The Common Name identifies the host name associated with the certificate | Piso-Nuevo |
Client Name | client_name | Client application\blade detected the event | Check Point Endpoint Security Client |
Confidence Level | confidence_level | Detection confidence value based on Check Point Threat cloud | Medium |
Content Risk | content_risk | the risk of the extracted content from a document | 4 - high |
Dashboard Event ID | dashboard_event_id | Uniqe ID for the event in the cloud dashboard | 1729 |
Dashboard Origin | dashboard_orig | Name of the Cloud mobile dashboard | SBM Cloud management |
Dashboard Time | dashboard_time | Cloud Mobile dashboard time in the time of the creation of the log | 7th july 2018 22:27 |
Description | description | Additional information about detected attack OR the error related to the connection | Check Point Online Web Service failure. See sk74040 for more information |
Destination | dst | Attack destination IP address. | 192.168.22.2 |
Determined By | te_verdict_determined_by | Which emulator determend that the file is malicious | Win7 64b,Office 2010,Adobe 11: local cache. Win7,Office 2013,Adobe 11: local cache. |
Developer Certificate Name | developer_certificate_name | Name of the developer certificate that was used to sign the mobile app | iPhone Developer(6MZTQJDTZ) |
Developer Certificate Sha | developer_certificate_sha | Certificate SHA of the developer certificate that was used to sign the mobile app | Sha1 |
Device ID | device_identification | Mobile Uniqe ID | 2739 |
Direction | interfacedir | Connection direction. | 'inbound'; 'outbound' |
Email Recipients Number | email_recipients_num | the number of recipient who recived the same mail | 6 |
Email Subject | email_subject | the subject of the mail that was inspected by Check Point | invoice #43662 |
Extension Version | extension_version | SandBlast agent browser extension build version. | SandBlast Extention 990.45.6 |
Extracted File Hash | Extracted_file_hash | case of an archive file - the internal hash list of files | 8e3951897bf8371e6010e3254b99e86d |
Extracted File Names | Extracted_file_names | in case of an archive file - the internal file names | malicious.js |
Extracted File Types | Extracted_file_types | in case of an archive file -the internal file types | js |
Extracted File Verdict | Extracted_file_verdict | in case of an archive file - the internal files verdict | malicious |
File Direction | file_direction | in case of a malicious file that was found in Anti-Virus, the direction of the connection (download/upload) | Incoming |
File MD5 | file_md5 | Detected file MD5. | 8e3951897bf8371e6010e3254b99e86d |
File Name | file_name | Detected file name. | Malicious.exe |
File SHA1 | file_sha1 | Detected file Sha1. | 4d48c297e2cd81b1ee786a71fc1a3def178619aa |
File SHA256 | file_sha256 | Detected file Sha256. | 110d6ae802d229a8105f3185525b5ce2cf9e151f2462bf407db6e832ccac56fa |
File Size | file_size | Detected file size(bytes). | 8.4KB |
File Type+A23 | file_type | Detected file extension. | wsf |
First Detection | first_detection | First detection time of the infection | 1th january 2018 |
Geographic Location | calc_geo_location | in case of a malicious activity on the mobile device, the location of the mobile device (LON / LAT) | 32.0686513,34.7945463 |
Hardware Model | hardware_model | Mobile hardware model | Samsung A900 |
Host Time | host_time | time based on the host local configuration | 7th july 2018 22:27 |
Host Type | host_type | Type of the source endpoint machine | Desktop |
Impacted Files | impacted_files | In case of an infection on an endpoint, the list of files that the malware impacted. | privatedoc.txt;image.png |
Industry Reference | industry_reference | Related vulnerability documentation link to MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148 |
Installed Blades | installed_products | Submask of installed EP blades | Anti-Ransomware, Anti-Exploit, Anti-Bot |
Interface | interfaceName | The firewall interface that a connection traverses. | eth1 |
Jailbreak Information | jailbreak_message | Device OS integrity state, True the OS is Jailbroken/Rooted | 1 |
Last Detection | last_detection | Last detection time of the infection | 2th january 2018 |
Malware Action | malware_action | Description of detected malware activity. | 'DNS query for a site known to be malicious'; |
Malware Family | malware_family | malware name related to the malicious IOC | Locky |
MDM ID | mdm_id | Mobile Device ID on the MDM system | 4718 |
Network Certificate | network_certificate | public key of the certificate that was used to do SSL interception | example.com |
Not Vulnerable OS | emulated_on | Emulators that didnt found the file malicious | Win7 64b,Office 2010,Adobe 11 |
Origin | orig | Name of first GW | My_GW |
OS Name | os_name | Source endpoint OS name | Windows 7 Professional N Edition |
OS Version | os_version | Source endpoint OS build version. | 6.1-7601-SP1.0-SMP |
Packet Capture | packet_capture | link to the PCAP file recorded the malicious connection | link to file |
Parent Process MD5 | parent_process_md5 | Parent process md5 of attack trigger process. | d41d8cd98f00b204e9800998ecf8427e |
Parent Process Name | parent_process_name | Parent process name of attack trigger process. | cmd.exe |
Parent Process Username | parent_process_username | Parent process owner of attack trigger process. | johna |
Performance Impact | performance_impact | IPS Signature performance impact on the GW | Medium |
Phone Number | phone_number | the Phone number of the user that is using the mobile device | 15712244010 |
Policy ` | policy_date | Latest pulled policy date. | 1th january 2018 |
Policy Management | policy_mgmt | Management server name. | My_MGMT_server |
Policy Name | policy_name | Latest pulled policy name. | Recommended_Perimmiter |
Process MD5 | process_md5 | Attack trigger process md5. | d41d8cd98f00b204e9800998ecf8427e |
Process Name | process_name | Attack trigger process name. | bot.exe |
Process Username | process_username | Attack trigger process owner name. | johna |
Product Family | product_family | Blade family. | Threat |
Product Version | client_version | Build version of SandBlast agent client installed on the host. | 80.85.7076 |
Protection Name | protection_name | Specific signature name of the attack. | 'Exploited doc document' |
Protection Type | protection_type | Type of the protection used to detect the attack. | SMTP Emulation |
Reason | reason | The reason for detecting or stopping the attack. | Internal error occurred, could not connect to cws.checkpoint.com:80". Check proxy configuration on the gateway." |
Recipient | to | Destination mail address. | Recipient@example.com |
Remediated Files | remediated_files | in case of an infection and a succesfull infection cleaning - list of remediated files in the host | Malicious.exe, dropper.exe |
Resource | resource | Malicious URL/Domain/DNS request | www[.]maliciousdomain[.]xyz |
Risk | file_risk | the risk rate in case of a suspicious contect that was found by Threat Extraction | 4 |
Scope | scope | Protected scope defined in the rule. | 192.168.1.3 |
Sender | from | Source mail address. | sender@example.com |
Service | service_name | Protocol and destination port. | http [tcp/80] |
Severity | severity | Incident severity level based on Check Point Threat cloud | High |
Source | src | Attack source IP address. | 91.2.22.28 |
Source IP-phone | src_phone_number | the source phone number of the event related to the mobile device | 15712244010 |
Source Port | s_port | source port of the connection | 35125 |
SSID | ssid | the name of the wifi network in case of a suspicious/malicious event that was found in sandblast mobile | Airport_Free_Wifi |
Subject | subject | the subject of the mail that was inspected by Check Point | invoice #43662 |
Suppressed logs | Suppressed_logs | aggregation of the connections (in 5 minutes) that are from the same source, resource and port | 72 |
Suspicious Content | scrubbed_content | Embedded Objects | |
System App | system_app | Indicate that the app detected is installed on the device ROM | |
Threat Extraction Activity | scrub_activity | description of the risky active contect found and cleaned | Active content was found - DOCX file was converted to PDF |
Threat Profile | smartdefense_profile | IPS profile if managed cepertly than other threat prevention blades | Recommended_IPS_internal |
Time | time | A time-stamp, which reflects the time of log creation | 7th july 2018 22:27 |
Total Attachments | total_attachments | the amout of attachment in a mail | 3 |
Triggered By | triggered_by | the name of the mechanism that triggered the blade to enforce a protection | SandBlast Anti-Ransomware |
Trusted Domain | trusted_domain | in case of phishing event - the domain that the attacker was Impersonating to | www.checkpoint.com |
Type | type | Log type. | log |
Vendor List | vendor_list | the vendor name that gave the verdict of a malicious URL | Check Point ThreatCloud |
Verdict | verdict | Verdict of the malicious activity/File | Malicious |
Vulnerable OS | detected_on | Vulnerable OS. | Win7 Office 2013 Adobe 11 WinXP Office 2003/7 Adobe 9 |
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY