Some checkpoint module
Module for parsing Checkpoint syslog.
-
checkpoint.confidence_level
-
Confidence level determined by ThreatCloud.
type: integer
-
checkpoint.calc_desc
-
Log description.
type: keyword
-
checkpoint.dst_country
-
Destination country.
type: keyword
-
checkpoint.dst_user_name
-
Connected user name on the destination IP.
type: keyword
-
checkpoint.email_id
-
Email number in smtp connection.
type: keyword
-
checkpoint.email_subject
-
Original email subject.
type: keyword
-
checkpoint.email_session_id
-
Connection uuid.
type: keyword
-
checkpoint.event_count
-
Number of events associated with the log.
type: long
-
checkpoint.sys_message
-
System messages
type: keyword
-
checkpoint.logid
-
System messages
type: keyword
-
checkpoint.failure_impact
-
The impact of update service failure.
type: keyword
-
checkpoint.id
-
Override application ID.
type: integer
-
checkpoint.identity_src
-
The source for authentication identity information.
type: keyword
-
checkpoint.information
-
Policy installation status for a specific blade.
type: keyword
-
checkpoint.layer_name
-
Layer name.
type: keyword
-
checkpoint.layer_uuid
-
Layer UUID.
type: keyword
-
checkpoint.log_id
-
Unique identity for logs.
type: integer
-
checkpoint.malware_family
-
Additional information on protection.
type: keyword
-
checkpoint.origin_sic_name
-
Machine SIC.
type: keyword
-
checkpoint.policy_mgmt
-
Name of the Management Server that manages this Security Gateway.
type: keyword
-
checkpoint.policy_name
-
Name of the last policy that this Security Gateway fetched.
type: keyword
-
checkpoint.protection_id
-
Protection malware id.
type: keyword
-
checkpoint.protection_name
-
Specific signature name of the attack.
type: keyword
-
checkpoint.protection_type
-
Type of protection used to detect the attack.
type: keyword
-
checkpoint.protocol
-
Protocol detected on the connection.
type: keyword
-
checkpoint.proxy_src_ip
-
Sender source IP (even when using proxy).
type: ip
-
checkpoint.rule
-
Matched rule number.
type: integer
-
checkpoint.rule_action
-
Action of the matched rule in the access policy.
type: keyword
-
checkpoint.scan_direction
-
Scan direction.
type: keyword
-
checkpoint.session_id
-
Log uuid.
type: keyword
-
checkpoint.source_os
-
OS which generated the attack.
type: keyword
-
checkpoint.src_country
-
Country name, derived from connection source IP address.
type: keyword
-
checkpoint.src_user_name
-
User name connected to source IP
type: keyword
-
checkpoint.ticket_id
-
Unique ID per file.
type: keyword
-
checkpoint.tls_server_host_name
-
SNI/CN from encrypted TLS connection used by URLF for categorization.
type: keyword
-
checkpoint.verdict
-
TE engine verdict Possible values: Malicious/Benign/Error.
type: keyword
-
checkpoint.user
-
Source user name.
type: keyword
-
checkpoint.vendor_list
-
The vendor name that provided the verdict for a malicious URL.
type: keyword
-
checkpoint.web_server_type
-
Web server detected in the HTTP response.
type: keyword
-
checkpoint.client_name
-
Client Application or Software Blade that detected the event.
type: keyword
-
checkpoint.client_version
-
Build version of SandBlast Agent client installed on the computer.
type: keyword
-
checkpoint.extension_version
-
Build version of the SandBlast Agent browser extension.
type: keyword
-
checkpoint.host_time
-
Local time on the endpoint computer.
type: keyword
-
checkpoint.installed_products
-
List of installed Endpoint Software Blades.
type: keyword
-
checkpoint.cc
-
The Carbon Copy address of the email.
type: keyword
-
checkpoint.parent_process_username
-
Owner username of the parent process of the process that triggered the attack.
type: keyword
-
checkpoint.process_username
-
Owner username of the process that triggered the attack.
type: keyword
-
checkpoint.audit_status
-
Audit Status. Can be Success or Failure.
type: keyword
-
checkpoint.objecttable
-
Table of affected objects.
type: keyword
-
checkpoint.objecttype
-
The type of the affected object.
type: keyword
-
checkpoint.operation_number
-
The operation nuber.
type: keyword
-
checkpoint.email_recipients_num
-
Amount of recipients whom the mail was sent to.
type: integer
-
checkpoint.suppressed_logs
-
Aggregated connections for five minutes on the same source, destination and port.
type: integer
-
checkpoint.blade_name
-
Blade name.
type: keyword
-
checkpoint.status
-
Ok/Warning/Error.
type: keyword
-
checkpoint.short_desc
-
Short description of the process that was executed.
type: keyword
-
checkpoint.long_desc
-
More information on the process (usually describing error reason in failure).
type: keyword
-
checkpoint.scan_hosts_hour
-
Number of unique hosts during the last hour.
type: integer
-
checkpoint.scan_hosts_day
-
Number of unique hosts during the last day.
type: integer
-
checkpoint.scan_hosts_week
-
Number of unique hosts during the last week.
type: integer
-
checkpoint.unique_detected_hour
-
Detected virus for a specific host during the last hour.
type: integer
-
checkpoint.unique_detected_day
-
Detected virus for a specific host during the last day.
type: integer
-
checkpoint.unique_detected_week
-
Detected virus for a specific host during the last week.
type: integer
-
checkpoint.scan_mail
-
Number of emails that were scanned by "AB malicious activity" engine.
type: integer
-
checkpoint.additional_ip
-
DNS host name.
type: keyword
-
checkpoint.description
-
Additional explanation how the security gateway enforced the connection.
type: keyword
-
checkpoint.email_spam_category
-
Email categories. Possible values: spam/not spam/phishing.
type: keyword
-
checkpoint.email_control_analysis
-
Message classification, received from spam vendor engine.
type: keyword
-
checkpoint.scan_results
-
"Infected"/description of a failure.
type: keyword
-
checkpoint.original_queue_id
-
Original postfix email queue id.
type: keyword
-
checkpoint.risk
-
Risk level we got from the engine.
type: keyword
-
checkpoint.roles
-
The role of identity.
type: keyword
-
checkpoint.observable_name
-
IOC observable signature name.
type: keyword
-
checkpoint.observable_id
-
IOC observable signature id.
type: keyword
-
checkpoint.observable_comment
-
IOC observable signature description.
type: keyword
-
checkpoint.indicator_name
-
IOC indicator name.
type: keyword
-
checkpoint.indicator_description
-
IOC indicator description.
type: keyword
-
checkpoint.indicator_reference
-
IOC indicator reference.
type: keyword
-
checkpoint.indicator_uuid
-
IOC indicator uuid.
type: keyword
-
checkpoint.app_desc
-
Application description.
type: keyword
-
checkpoint.app_id
-
Application ID.
type: integer
-
checkpoint.app_sig_id
-
IOC indicator description.
type: keyword
-
checkpoint.certificate_resource
-
HTTPS resource Possible values: SNI or domain name (DN).
type: keyword
-
checkpoint.certificate_validation
-
Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.
type: keyword
-
checkpoint.browse_time
-
Application session browse time.
type: keyword
-
checkpoint.limit_requested
-
Indicates whether data limit was requested for the session.
type: integer
-
checkpoint.limit_applied
-
Indicates whether the session was actually date limited.
type: integer
-
checkpoint.dropped_total
-
Amount of dropped packets (both incoming and outgoing).
type: integer
-
checkpoint.client_type_os
-
Client OS detected in the HTTP request.
type: keyword
-
checkpoint.name
-
Application name.
type: keyword
-
checkpoint.properties
-
Application categories.
type: keyword
-
checkpoint.sig_id
-
Application’s signature ID which how it was detected by.
type: keyword
-
checkpoint.desc
-
Override application description.
type: keyword
-
checkpoint.referrer_self_uid
-
UUID of the current log.
type: keyword
-
checkpoint.referrer_parent_uid
-
Log UUID of the referring application.
type: keyword
-
checkpoint.needs_browse_time
-
Browse time required for the connection.
type: integer
-
checkpoint.cluster_info
-
Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.
type: keyword
-
checkpoint.sync
-
Sync status and the reason (stable, at risk).
type: keyword
-
checkpoint.file_direction
-
File direction. Possible options: upload/download.
type: keyword
-
checkpoint.invalid_file_size
-
File_size field is valid only if this field is set to 0.
type: integer
-
checkpoint.top_archive_file_name
-
In case of archive file: the file that was sent/received.
type: keyword
-
checkpoint.data_type_name
-
Data type in rulebase that was matched.
type: keyword
-
checkpoint.specific_data_type_name
-
Compound/Group scenario, data type that was matched.
type: keyword
-
checkpoint.word_list
-
Words matched by data type.
type: keyword
-
checkpoint.info
-
Special log message.
type: keyword
-
checkpoint.outgoing_url
-
URL related to this log (for HTTP).
type: keyword
-
checkpoint.dlp_rule_name
-
Matched rule name.
type: keyword
-
checkpoint.dlp_recipients
-
Mail recipients.
type: keyword
-
checkpoint.dlp_subject
-
Mail subject.
type: keyword
-
checkpoint.dlp_word_list
-
Phrases matched by data type.
type: keyword
-
checkpoint.dlp_template_score
-
Template data type match score.
type: keyword
-
checkpoint.message_size
-
Mail/post size.
type: integer
-
checkpoint.dlp_incident_uid
-
Unique ID of the matched rule.
type: keyword
-
checkpoint.dlp_related_incident_uid
-
Other ID related to this one.
type: keyword
-
checkpoint.dlp_data_type_name
-
Matched data type.
type: keyword
-
checkpoint.dlp_data_type_uid
-
Unique ID of the matched data type.
type: keyword
-
checkpoint.dlp_violation_description
-
Violation descriptions described in the rulebase.
type: keyword
-
checkpoint.dlp_relevant_data_types
-
In case of Compound/Group: the inner data types that were matched.
type: keyword
-
checkpoint.dlp_action_reason
-
Action chosen reason.
type: keyword
-
checkpoint.dlp_categories
-
Data type category.
type: keyword
-
checkpoint.dlp_transint
-
HTTP/SMTP/FTP.
type: keyword
-
checkpoint.duplicate
-
Log marked as duplicated, when mail is split and the Security Gateway sees it twice.
type: keyword
-
checkpoint.incident_extension
-
Matched data type.
type: keyword
-
checkpoint.matched_file
-
Unique ID of the matched data type.
type: keyword
-
checkpoint.matched_file_text_segments
-
Fingerprint: number of text segments matched by this traffic.
type: integer
-
checkpoint.matched_file_percentage
-
Fingerprint: match percentage of the traffic.
type: integer
-
checkpoint.dlp_additional_action
-
Watermark/None.
type: keyword
-
checkpoint.dlp_watermark_profile
-
Watermark which was applied.
type: keyword
-
checkpoint.dlp_repository_id
-
ID of scanned repository.
type: keyword
-
checkpoint.dlp_repository_root_path
-
Repository path.
type: keyword
-
checkpoint.scan_id
-
Sequential number of scan.
type: keyword
-
checkpoint.special_properties
-
If this field is set to 1 the log will not be shown (in use for monitoring scan progress).
type: integer
-
checkpoint.dlp_repository_total_size
-
Repository size.
type: integer
-
checkpoint.dlp_repository_files_number
-
Number of files in repository.
type: integer
-
checkpoint.dlp_repository_scanned_files_number
-
Number of scanned files in repository.
type: integer
-
checkpoint.duration
-
Scan duration.
type: keyword
-
checkpoint.dlp_fingerprint_long_status
-
Scan status - long format.
type: keyword
-
checkpoint.dlp_fingerprint_short_status
-
Scan status - short format.
type: keyword
-
checkpoint.dlp_repository_directories_number
-
Number of directories in repository.
type: integer
-
checkpoint.dlp_repository_unreachable_directories_number
-
Number of directories the Security Gateway was unable to read.
type: integer
-
checkpoint.dlp_fingerprint_files_number
-
Number of successfully scanned files in repository.
type: integer
-
checkpoint.dlp_repository_skipped_files_number
-
Skipped number of files because of configuration.
type: integer
-
checkpoint.dlp_repository_scanned_directories_number
-
Amount of directories scanned.
type: integer
-
checkpoint.number_of_errors
-
Number of files that were not scanned due to an error.
type: integer
-
checkpoint.next_scheduled_scan_date
-
Next scan scheduled time according to time object.
type: keyword
-
checkpoint.dlp_repository_scanned_total_size
-
Size scanned.
type: integer
-
checkpoint.dlp_repository_reached_directories_number
-
Number of scanned directories in repository.
type: integer
-
checkpoint.dlp_repository_not_scanned_directories_percentage
-
Percentage of directories the Security Gateway was unable to read.
type: integer
-
checkpoint.speed
-
Current scan speed.
type: integer
-
checkpoint.dlp_repository_scan_progress
-
Scan percentage.
type: integer
-
checkpoint.sub_policy_name
-
Layer name.
type: keyword
-
checkpoint.sub_policy_uid
-
Layer uid.
type: keyword
-
checkpoint.fw_message
-
Used for various firewall errors.
type: keyword
-
checkpoint.message
-
ISP link has failed.
type: keyword
-
checkpoint.isp_link
-
Name of ISP link.
type: keyword
-
checkpoint.fw_subproduct
-
Can be vpn/non vpn.
type: keyword
-
checkpoint.sctp_error
-
Error information, what caused sctp to fail on out_of_state.
type: keyword
-
checkpoint.chunk_type
-
Chunck of the sctp stream.
type: keyword
-
checkpoint.sctp_association_state
-
The bad state you were trying to update to.
type: keyword
-
checkpoint.tcp_packet_out_of_state
-
State violation.
type: keyword
-
checkpoint.tcp_flags
-
TCP packet flags (SYN, ACK, etc.,).
type: keyword
-
checkpoint.connectivity_level
-
Log for a new connection in wire mode.
type: keyword
-
checkpoint.ip_option
-
IP option that was dropped.
type: integer
-
checkpoint.tcp_state
-
Log reinting a tcp state change.
type: keyword
-
checkpoint.expire_time
-
Connection closing time.
type: keyword
-
checkpoint.icmp_type
-
In case a connection is ICMP, type info will be added to the log.
type: integer
-
checkpoint.icmp_code
-
In case a connection is ICMP, code info will be added to the log.
type: integer
-
checkpoint.rpc_prog
-
Log for new RPC state - prog values.
type: integer
-
checkpoint.dce-rpc_interface_uuid
-
Log for new RPC state - UUID values
type: keyword
-
checkpoint.elapsed
-
Time passed since start time.
type: keyword
-
checkpoint.icmp
-
Number of packets, received by the client.
type: keyword
-
checkpoint.capture_uuid
-
UUID generated for the capture. Used when enabling the capture when logging.
type: keyword
-
checkpoint.diameter_app_ID
-
The ID of diameter application.
type: integer
-
checkpoint.diameter_cmd_code
-
Diameter not allowed application command id.
type: integer
-
checkpoint.diameter_msg_type
-
Diameter message type.
type: keyword
-
checkpoint.cp_message
-
Used to log a general message.
type: integer
-
checkpoint.log_delay
-
Time left before deleting template.
type: integer
-
checkpoint.attack_status
-
In case of a malicious event on an endpoint computer, the status of the attack.
type: keyword
-
checkpoint.impacted_files
-
In case of an infection on an endpoint computer, the list of files that the malware impacted.
type: keyword
-
checkpoint.remediated_files
-
In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.
type: keyword
-
checkpoint.triggered_by
-
The name of the mechanism that triggered the Software Blade to enforce a protection.
type: keyword
-
checkpoint.https_inspection_rule_id
-
ID of the matched rule.
type: keyword
-
checkpoint.https_inspection_rule_name
-
Name of the matched rule.
type: keyword
-
checkpoint.app_properties
-
List of all found categories.
type: keyword
-
checkpoint.https_validation
-
Precise error, describing HTTPS inspection failure.
type: keyword
-
checkpoint.https_inspection_action
-
HTTPS inspection action (Inspect/Bypass/Error).
type: keyword
-
checkpoint.icap_service_id
-
Service ID, can work with multiple servers, treated as services.
type: integer
-
checkpoint.icap_server_name
-
Server name.
type: keyword
-
checkpoint.internal_error
-
Internal error, for troubleshooting
type: keyword
-
checkpoint.icap_more_info
-
Free text for verdict.
type: integer
-
checkpoint.reply_status
-
ICAP reply status code, e.g. 200 or 204.
type: integer
-
checkpoint.icap_server_service
-
Service name, as given in the ICAP URI
type: keyword
-
checkpoint.mirror_and_decrypt_type
-
Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).
type: keyword
-
checkpoint.interface_name
-
Designated interface for mirror And decrypt.
type: keyword
-
checkpoint.session_uid
-
HTTP session-id.
type: keyword
-
checkpoint.broker_publisher
-
IP address of the broker publisher who shared the session information.
type: ip
-
checkpoint.src_user_dn
-
User distinguished name connected to source IP.
type: keyword
-
checkpoint.proxy_user_name
-
User name connected to proxy IP.
type: keyword
-
checkpoint.proxy_machine_name
-
Machine name connected to proxy IP.
type: integer
-
checkpoint.proxy_user_dn
-
User distinguished name connected to proxy IP.
type: keyword
-
checkpoint.query
-
DNS query.
type: keyword
-
checkpoint.dns_query
-
DNS query.
type: keyword
-
checkpoint.inspection_item
-
Blade element performed inspection.
type: keyword
-
checkpoint.performance_impact
-
Protection performance impact.
type: integer
-
checkpoint.inspection_category
-
Inspection category: protocol anomaly, signature etc.
type: keyword
-
checkpoint.inspection_profile
-
Profile which the activated protection belongs to.
type: keyword
-
checkpoint.summary
-
Summary message of a non-compliant DNS traffic drops or detects.
type: keyword
-
checkpoint.question_rdata
-
List of question records domains.
type: keyword
-
checkpoint.answer_rdata
-
List of answer resource records to the questioned domains.
type: keyword
-
checkpoint.authority_rdata
-
List of authoritative servers.
type: keyword
-
checkpoint.additional_rdata
-
List of additional resource records.
type: keyword
-
checkpoint.files_names
-
List of files requested by FTP.
type: keyword
-
checkpoint.ftp_user
-
FTP username.
type: keyword
-
checkpoint.mime_from
-
Sender’s address.
type: keyword
-
checkpoint.mime_to
-
List of receiver address.
type: keyword
-
checkpoint.bcc
-
List of BCC addresses.
type: keyword
-
checkpoint.content_type
-
Mail content type. Possible values: application/msword, text/html, image/gif etc.
type: keyword
-
checkpoint.user_agent
-
String identifying requesting software user agent.
type: keyword
-
checkpoint.referrer
-
Referrer HTTP request header, previous web page address.
type: keyword
-
checkpoint.http_location
-
Response header, indicates the URL to redirect a page to.
type: keyword
-
checkpoint.content_disposition
-
Indicates how the content is expected to be displayed inline in the browser.
type: keyword
-
checkpoint.via
-
Via header is added by proxies for tracking purposes to avoid sending reqests in loop.
type: keyword
-
checkpoint.http_server
-
Server HTTP header value, contains information about the software used by the origin server, which handles the request.
type: keyword
-
checkpoint.content_length
-
Indicates the size of the entity-body of the HTTP header.
type: keyword
-
checkpoint.authorization
-
Authorization HTTP header value.
type: keyword
-
checkpoint.http_host
-
Domain name of the server that the HTTP request is sent to.
type: keyword
-
checkpoint.inspection_settings_log
-
Indicats that the log was released by inspection settings.
type: keyword
-
checkpoint.cvpn_resource
-
Mobile Access application.
type: keyword
-
checkpoint.cvpn_category
-
Mobile Access application type.
type: keyword
-
checkpoint.url
-
Translated URL.
type: keyword
-
checkpoint.reject_id
-
A reject ID that corresponds to the one presented in the Mobile Access error page.
type: keyword
-
checkpoint.fs-proto
-
The file share protocol used in mobile acess file share application.
type: keyword
-
checkpoint.app_package
-
Unique identifier of the application on the protected mobile device.
type: keyword
-
checkpoint.appi_name
-
Name of application downloaded on the protected mobile device.
type: keyword
-
checkpoint.app_repackaged
-
Indicates whether the original application was repackage not by the official developer.
type: keyword
-
checkpoint.app_sid_id
-
Unique SHA identifier of a mobile application.
type: keyword
-
checkpoint.app_version
-
Version of the application downloaded on the protected mobile device.
type: keyword
-
checkpoint.developer_certificate_name
-
Name of the developer’s certificate that was used to sign the mobile application.
type: keyword
-
checkpoint.email_control
-
Engine name.
type: keyword
-
checkpoint.email_message_id
-
Email session id (uniqe ID of the mail).
type: keyword
-
checkpoint.email_queue_id
-
Postfix email queue id.
type: keyword
-
checkpoint.email_queue_name
-
Postfix email queue name.
type: keyword
-
checkpoint.file_name
-
Malicious file name.
type: keyword
-
checkpoint.failure_reason
-
MTA failure description.
type: keyword
-
checkpoint.email_headers
-
String containing all the email headers.
type: keyword
-
checkpoint.arrival_time
-
Email arrival timestamp.
type: keyword
-
checkpoint.email_status
-
Describes the email’s state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended
type: keyword
-
checkpoint.status_update
-
Last time log was updated.
type: keyword
-
checkpoint.delivery_time
-
Timestamp of when email was delivered (MTA finished handling the email.
type: keyword
-
checkpoint.links_num
-
Number of links in the mail.
type: integer
-
checkpoint.attachments_num
-
Number of attachments in the mail.
type: integer
-
checkpoint.email_content
-
Mail contents. Possible options: attachments/links & attachments/links/text only.
type: keyword
-
checkpoint.allocated_ports
-
Amount of allocated ports.
type: integer
-
checkpoint.capacity
-
Capacity of the ports.
type: integer
-
checkpoint.ports_usage
-
Percentage of allocated ports.
type: integer
-
checkpoint.nat_exhausted_pool
-
4-tuple of an exhausted pool.
type: keyword
-
checkpoint.nat_rulenum
-
NAT rulebase first matched rule.
type: integer
-
checkpoint.nat_addtnl_rulenum
-
When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.
type: integer
-
checkpoint.message_info
-
Used for information messages, for example:NAT connection has ended.
type: keyword
-
checkpoint.nat46
-
NAT 46 status, in most cases "enabled".
type: keyword
-
checkpoint.end_time
-
TCP connection end time.
type: keyword
-
checkpoint.tcp_end_reason
-
Reason for TCP connection closure.
type: keyword
-
checkpoint.cgnet
-
Describes NAT allocation for specific subscriber.
type: keyword
-
checkpoint.subscriber
-
Source IP before CGNAT.
type: ip
-
checkpoint.hide_ip
-
Source IP which will be used after CGNAT.
type: ip
-
checkpoint.int_start
-
Subscriber start int which will be used for NAT.
type: integer
-
checkpoint.int_end
-
Subscriber end int which will be used for NAT.
type: integer
-
checkpoint.packet_amount
-
Amount of packets dropped.
type: integer
-
checkpoint.monitor_reason
-
Aggregated logs of monitored packets.
type: keyword
-
checkpoint.drops_amount
-
Amount of multicast packets dropped.
type: integer
-
checkpoint.securexl_message
-
Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.
type: keyword
-
checkpoint.conns_amount
-
Connections amount of aggregated log info.
type: integer
-
checkpoint.scope
-
IP related to the attack.
type: keyword
-
checkpoint.analyzed_on
-
Check Point ThreatCloud / emulator name.
type: keyword
-
checkpoint.detected_on
-
System and applications version the file was emulated on.
type: keyword
-
checkpoint.dropped_file_name
-
List of names dropped from the original file.
type: keyword
-
checkpoint.dropped_file_type
-
List of file types dropped from the original file.
type: keyword
-
checkpoint.dropped_file_hash
-
List of file hashes dropped from the original file.
type: keyword
-
checkpoint.dropped_file_verdict
-
List of file verdics dropped from the original file.
type: keyword
-
checkpoint.emulated_on
-
Images the files were emulated on.
type: keyword
-
checkpoint.extracted_file_type
-
Types of extracted files in case of an archive.
type: keyword
-
checkpoint.extracted_file_names
-
Names of extracted files in case of an archive.
type: keyword
-
checkpoint.extracted_file_hash
-
Archive hash in case of extracted files.
type: keyword
-
checkpoint.extracted_file_verdict
-
Verdict of extracted files in case of an archive.
type: keyword
-
checkpoint.extracted_file_uid
-
UID of extracted files in case of an archive.
type: keyword
-
checkpoint.mitre_initial_access
-
The adversary is trying to break into your network.
type: keyword
-
checkpoint.mitre_execution
-
The adversary is trying to run malicious code.
type: keyword
-
checkpoint.mitre_persistence
-
The adversary is trying to maintain his foothold.
type: keyword
-
checkpoint.mitre_privilege_escalation
-
The adversary is trying to gain higher-level permissions.
type: keyword
-
checkpoint.mitre_defense_evasion
-
The adversary is trying to avoid being detected.
type: keyword
-
checkpoint.mitre_credential_access
-
The adversary is trying to steal account names and passwords.
type: keyword
-
checkpoint.mitre_discovery
-
The adversary is trying to expose information about your environment.
type: keyword
-
checkpoint.mitre_lateral_movement
-
The adversary is trying to explore your environment.
type: keyword
-
checkpoint.mitre_collection
-
The adversary is trying to collect data of interest to achieve his goal.
type: keyword
-
checkpoint.mitre_command_and_control
-
The adversary is trying to communicate with compromised systems in order to control them.
type: keyword
-
checkpoint.mitre_exfiltration
-
The adversary is trying to steal data.
type: keyword
-
checkpoint.mitre_impact
-
The adversary is trying to manipulate, interrupt, or destroy your systems and data.
type: keyword
-
checkpoint.parent_file_hash
-
Archive’s hash in case of extracted files.
type: keyword
-
checkpoint.parent_file_name
-
Archive’s name in case of extracted files.
type: keyword
-
checkpoint.parent_file_uid
-
Archive’s UID in case of extracted files.
type: keyword
-
checkpoint.similiar_iocs
-
Other IoCs similar to the ones found, related to the malicious file.
type: keyword
-
checkpoint.similar_hashes
-
Hashes found similar to the malicious file.
type: keyword
-
checkpoint.similar_strings
-
Strings found similar to the malicious file.
type: keyword
-
checkpoint.similar_communication
-
Network action found similar to the malicious file.
type: keyword
-
checkpoint.te_verdict_determined_by
-
Emulators determined file verdict.
type: keyword
-
checkpoint.packet_capture_unique_id
-
Identifier of the packet capture files.
type: keyword
-
checkpoint.total_attachments
-
The number of attachments in an email.
type: integer
-
checkpoint.additional_info
-
ID of original file/mail which are sent by admin.
type: keyword
-
checkpoint.content_risk
-
File risk.
type: integer
-
checkpoint.operation
-
Operation made by Threat Extraction.
type: keyword
-
checkpoint.scrubbed_content
-
Active content that was found.
type: keyword
-
checkpoint.scrub_time
-
Extraction process duration.
type: keyword
-
checkpoint.scrub_download_time
-
File download time from resource.
type: keyword
-
checkpoint.scrub_total_time
-
Threat extraction total file handling time.
type: keyword
-
checkpoint.scrub_activity
-
The result of the extraction
type: keyword
-
checkpoint.watermark
-
Reports whether watermark is added to the cleaned file.
type: keyword
-
checkpoint.snid
-
The Check Point session ID.
type: keyword
-
checkpoint.source_object
-
Matched object name on source column.
type: keyword
-
checkpoint.destination_object
-
Matched object name on destination column.
type: keyword
-
checkpoint.drop_reason
-
Drop reason description.
type: keyword
-
checkpoint.hit
-
Number of hits on a rule.
type: integer
-
checkpoint.rulebase_id
-
Layer number.
type: integer
-
checkpoint.first_hit_time
-
First hit time in current interval.
type: integer
-
checkpoint.last_hit_time
-
Last hit time in current interval.
type: integer
-
checkpoint.rematch_info
-
Information sent when old connections cannot be matched during policy installation.
type: keyword
-
checkpoint.last_rematch_time
-
Connection rematched time.
type: keyword
-
checkpoint.action_reason
-
Connection drop reason.
type: integer
-
checkpoint.action_reason_msg
-
Connection drop reason message.
type: keyword
-
checkpoint.c_bytes
-
Boolean value indicates whether bytes sent from the client side are used.
type: integer
-
checkpoint.context_num
-
Serial number of the log for a specific connection.
type: integer
-
checkpoint.match_id
-
Private key of the rule
type: integer
-
checkpoint.alert
-
Alert level of matched rule (for connection logs).
type: keyword
-
checkpoint.parent_rule
-
Parent rule number, in case of inline layer.
type: integer
-
checkpoint.match_fk
-
Rule number.
type: integer
-
checkpoint.dropped_outgoing
-
Number of outgoing bytes dropped when using UP-limit feature.
type: integer
-
checkpoint.dropped_incoming
-
Number of incoming bytes dropped when using UP-limit feature.
type: integer
-
checkpoint.media_type
-
Media used (audio, video, etc.)
type: keyword
-
checkpoint.sip_reason
-
Explains why source_ip isn’t allowed to redirect (handover).
type: keyword
-
checkpoint.voip_method
-
Registration request.
type: keyword
-
checkpoint.registered_ip-phones
-
Registered IP-Phones.
type: keyword
-
checkpoint.voip_reg_user_type
-
Registered IP-Phone type.
type: keyword
-
checkpoint.voip_call_id
-
Call-ID.
type: keyword
-
checkpoint.voip_reg_int
-
Registration port.
type: integer
-
checkpoint.voip_reg_ipp
-
Registration IP protocol.
type: integer
-
checkpoint.voip_reg_period
-
Registration period.
type: integer
-
checkpoint.voip_log_type
-
VoIP log types. Possible values: reject, call, registration.
type: keyword
-
checkpoint.src_phone_number
-
Source IP-Phone.
type: keyword
-
checkpoint.voip_from_user_type
-
Source IP-Phone type.
type: keyword
-
checkpoint.dst_phone_number
-
Destination IP-Phone.
type: keyword
-
checkpoint.voip_to_user_type
-
Destination IP-Phone type.
type: keyword
-
checkpoint.voip_call_dir
-
Call direction: in/out.
type: keyword
-
checkpoint.voip_call_state
-
Call state. Possible values: in/out.
type: keyword
-
checkpoint.voip_call_term_time
-
Call termination time stamp.
type: keyword
-
checkpoint.voip_duration
-
Call duration (seconds).
type: keyword
-
checkpoint.voip_media_port
-
Media int.
type: keyword
-
checkpoint.voip_media_ipp
-
Media IP protocol.
type: keyword
-
checkpoint.voip_est_codec
-
Estimated codec.
type: keyword
-
checkpoint.voip_exp
-
Expiration.
type: integer
-
checkpoint.voip_attach_sz
-
Attachment size.
type: integer
-
checkpoint.voip_attach_action_info
-
Attachment action Info.
type: keyword
-
checkpoint.voip_media_codec
-
Estimated codec.
type: keyword
-
checkpoint.voip_reject_reason
-
Reject reason.
type: keyword
-
checkpoint.voip_reason_info
-
Information.
type: keyword
-
checkpoint.voip_config
-
Configuration.
type: keyword
-
checkpoint.voip_reg_server
-
Registrar server IP address.
type: ip
-
checkpoint.scv_user
-
Username whose packets are dropped on SCV.
type: keyword
-
checkpoint.scv_message_info
-
Drop reason.
type: keyword
-
checkpoint.ppp
-
Authentication status.
type: keyword
-
checkpoint.scheme
-
Describes the scheme used for the log.
type: keyword
-
checkpoint.auth_method
-
Password authentication protocol used (PAP or EAP).
type: keyword
-
checkpoint.auth_status
-
The authentication status for an event.
type: keyword
-
checkpoint.machine
-
L2TP machine which triggered the log and the log refers to it.
type: keyword
-
checkpoint.vpn_feature_name
-
L2TP /IKE / Link Selection.
type: keyword
-
checkpoint.reject_category
-
Authentication failure reason.
type: keyword
-
checkpoint.peer_ip_probing_status_update
-
IP address response status.
type: keyword
-
checkpoint.peer_ip
-
IP address which the client connects to.
type: keyword
-
checkpoint.peer_gateway
-
Main IP of the peer Security Gateway.
type: ip
-
checkpoint.link_probing_status_update
-
IP address response status.
type: keyword
-
checkpoint.source_interface
-
External Interface name for source interface or Null if not found.
type: keyword
-
checkpoint.next_hop_ip
-
Next hop IP address.
type: keyword
-
checkpoint.srckeyid
-
Initiator Spi ID.
type: keyword
-
checkpoint.dstkeyid
-
Responder Spi ID.
type: keyword
-
checkpoint.encryption_failure
-
Message indicating why the encryption failed.
type: keyword
-
checkpoint.ike_ids
-
All QM ids.
type: keyword
-
checkpoint.community
-
Community name for the IPSec key and the use of the IKEv.
type: keyword
-
checkpoint.ike
-
IKEMode (PHASE1, PHASE2, etc..).
type: keyword
-
checkpoint.cookieI
-
Initiator cookie.
type: keyword
-
checkpoint.cookieR
-
Responder cookie.
type: keyword
-
checkpoint.msgid
-
Message ID.
type: keyword
-
checkpoint.methods
-
IPSEc methods.
type: keyword
-
checkpoint.connection_uid
-
Calculation of md5 of the IP and user name as UID.
type: keyword
-
checkpoint.site_name
-
Site name.
type: keyword
-
checkpoint.esod_rule_name
-
Unknown rule name.
type: keyword
-
checkpoint.esod_rule_action
-
Unknown rule action.
type: keyword
-
checkpoint.esod_rule_type
-
Unknown rule type.
type: keyword
-
checkpoint.esod_noncompliance_reason
-
Non-compliance reason.
type: keyword
-
checkpoint.esod_associated_policies
-
Associated policies.
type: keyword
-
checkpoint.spyware_name
-
Spyware name.
type: keyword
-
checkpoint.spyware_type
-
Spyware type.
type: keyword
-
checkpoint.anti_virus_type
-
Anti virus type.
type: keyword
-
checkpoint.end_user_firewall_type
-
End user firewall type.
type: keyword
-
checkpoint.esod_scan_status
-
Scan failed.
type: keyword
-
checkpoint.esod_access_status
-
Access denied.
type: keyword
-
checkpoint.client_type
-
Endpoint Connect.
type: keyword
-
checkpoint.precise_error
-
HTTP parser error.
type: keyword
-
checkpoint.method
-
HTTP method.
type: keyword
-
checkpoint.trusted_domain
-
In case of phishing event, the domain, which the attacker was impersonating.
type: keyword
-
checkpoint.comment
-
type: keyword
-
checkpoint.conn_direction
-
Connection direction
type: keyword
-
checkpoint.db_ver
-
Database version
type: keyword
-
checkpoint.update_status
-
Status of database update
type: keyword