Checkpoint fields

Confidence level determined by ThreatCloud.

type: integer

Log description.

type: keyword

Destination country.

type: keyword

Connected user name on the destination IP.

type: keyword

Email number in smtp connection.

type: keyword

Original email subject.

type: keyword

Connection uuid.

type: keyword

Number of events associated with the log.

type: long

System messages

type: keyword

System messages

type: keyword

The impact of update service failure.

type: keyword

Override application ID.

type: integer

The source for authentication identity information.

type: keyword

Policy installation status for a specific blade.

type: keyword

Layer name.

type: keyword

Layer UUID.

type: keyword

Unique identity for logs.

type: integer

Additional information on protection.

type: keyword

Machine SIC.

type: keyword

Name of the Management Server that manages this Security Gateway.

type: keyword

Name of the last policy that this Security Gateway fetched.

type: keyword

Protection malware id.

type: keyword

Specific signature name of the attack.

type: keyword

Type of protection used to detect the attack.

type: keyword

Protocol detected on the connection.

type: keyword

Sender source IP (even when using proxy).

type: ip

Matched rule number.

type: integer

Action of the matched rule in the access policy.

type: keyword

Scan direction.

type: keyword

Log uuid.

type: keyword

OS which generated the attack.

type: keyword

Country name, derived from connection source IP address.

type: keyword

User name connected to source IP

type: keyword

Unique ID per file.

type: keyword

SNI/CN from encrypted TLS connection used by URLF for categorization.

type: keyword

TE engine verdict Possible values: Malicious/Benign/Error.

type: keyword

Source user name.

type: keyword

The vendor name that provided the verdict for a malicious URL.

type: keyword

Web server detected in the HTTP response.

type: keyword

Client Application or Software Blade that detected the event.

type: keyword

Build version of SandBlast Agent client installed on the computer.

type: keyword

Build version of the SandBlast Agent browser extension.

type: keyword

Local time on the endpoint computer.

type: keyword

List of installed Endpoint Software Blades.

type: keyword

The Carbon Copy address of the email.

type: keyword

Owner username of the parent process of the process that triggered the attack.

type: keyword

Owner username of the process that triggered the attack.

type: keyword

Audit Status. Can be Success or Failure.

type: keyword

Table of affected objects.

type: keyword

The type of the affected object.

type: keyword

The operation nuber.

type: keyword

Amount of recipients whom the mail was sent to.

type: integer

Aggregated connections for five minutes on the same source, destination and port.

type: integer

Blade name.

type: keyword

Ok/Warning/Error.

type: keyword

Short description of the process that was executed.

type: keyword

More information on the process (usually describing error reason in failure).

type: keyword

Number of unique hosts during the last hour.

type: integer

Number of unique hosts during the last day.

type: integer

Number of unique hosts during the last week.

type: integer

Detected virus for a specific host during the last hour.

type: integer

Detected virus for a specific host during the last day.

type: integer

Detected virus for a specific host during the last week.

type: integer

Number of emails that were scanned by "AB malicious activity" engine.

type: integer

DNS host name.

type: keyword

Additional explanation how the security gateway enforced the connection.

type: keyword

Email categories. Possible values: spam/not spam/phishing.

type: keyword

Message classification, received from spam vendor engine.

type: keyword

"Infected"/description of a failure.

type: keyword

Original postfix email queue id.

type: keyword

Risk level we got from the engine.

type: keyword

The role of identity.

type: keyword

IOC observable signature name.

type: keyword

IOC observable signature id.

type: keyword

IOC observable signature description.

type: keyword

IOC indicator name.

type: keyword

IOC indicator description.

type: keyword

IOC indicator reference.

type: keyword

IOC indicator uuid.

type: keyword

Application description.

type: keyword

Application ID.

type: integer

IOC indicator description.

type: keyword

HTTPS resource Possible values: SNI or domain name (DN).

type: keyword

Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.

type: keyword

Application session browse time.

type: keyword

Indicates whether data limit was requested for the session.

type: integer

Indicates whether the session was actually date limited.

type: integer

Amount of dropped packets (both incoming and outgoing).

type: integer

Client OS detected in the HTTP request.

type: keyword

Application name.

type: keyword

Application categories.

type: keyword

Application’s signature ID which how it was detected by.

type: keyword

Override application description.

type: keyword

UUID of the current log.

type: keyword

Log UUID of the referring application.

type: keyword

Browse time required for the connection.

type: integer

Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.

type: keyword

Sync status and the reason (stable, at risk).

type: keyword

File direction. Possible options: upload/download.

type: keyword

File_size field is valid only if this field is set to 0.

type: integer

In case of archive file: the file that was sent/received.

type: keyword

Data type in rulebase that was matched.

type: keyword

Compound/Group scenario, data type that was matched.

type: keyword

Words matched by data type.

type: keyword

Special log message.

type: keyword

URL related to this log (for HTTP).

type: keyword

Matched rule name.

type: keyword

Mail recipients.

type: keyword

Mail subject.

type: keyword

Phrases matched by data type.

type: keyword

Template data type match score.

type: keyword

Mail/post size.

type: integer

Unique ID of the matched rule.

type: keyword

Other ID related to this one.

type: keyword

Matched data type.

type: keyword

Unique ID of the matched data type.

type: keyword

Violation descriptions described in the rulebase.

type: keyword

In case of Compound/Group: the inner data types that were matched.

type: keyword

Action chosen reason.

type: keyword

Data type category.

type: keyword

HTTP/SMTP/FTP.

type: keyword

Log marked as duplicated, when mail is split and the Security Gateway sees it twice.

type: keyword

Matched data type.

type: keyword

Unique ID of the matched data type.

type: keyword

Fingerprint: number of text segments matched by this traffic.

type: integer

Fingerprint: match percentage of the traffic.

type: integer

Watermark/None.

type: keyword

Watermark which was applied.

type: keyword

ID of scanned repository.

type: keyword

Repository path.

type: keyword

Sequential number of scan.

type: keyword

If this field is set to 1 the log will not be shown (in use for monitoring scan progress).

type: integer

Repository size.

type: integer

Number of files in repository.

type: integer

Number of scanned files in repository.

type: integer

Scan duration.

type: keyword

Scan status - long format.

type: keyword

Scan status - short format.

type: keyword

Number of directories in repository.

type: integer

Number of directories the Security Gateway was unable to read.

type: integer

Number of successfully scanned files in repository.

type: integer

Skipped number of files because of configuration.

type: integer

Amount of directories scanned.

type: integer

Number of files that were not scanned due to an error.

type: integer

Next scan scheduled time according to time object.

type: keyword

Size scanned.

type: integer

Number of scanned directories in repository.

type: integer

Percentage of directories the Security Gateway was unable to read.

type: integer

Current scan speed.

type: integer

Scan percentage.

type: integer

Layer name.

type: keyword

Layer uid.

type: keyword

Used for various firewall errors.

type: keyword

ISP link has failed.

type: keyword

Name of ISP link.

type: keyword

Can be vpn/non vpn.

type: keyword

Error information, what caused sctp to fail on out_of_state.

type: keyword

Chunck of the sctp stream.

type: keyword

The bad state you were trying to update to.

type: keyword

State violation.

type: keyword

TCP packet flags (SYN, ACK, etc.,).

type: keyword

Log for a new connection in wire mode.

type: keyword

IP option that was dropped.

type: integer

Log reinting a tcp state change.

type: keyword

Connection closing time.

type: keyword

In case a connection is ICMP, type info will be added to the log.

type: integer

In case a connection is ICMP, code info will be added to the log.

type: integer

Log for new RPC state - prog values.

type: integer

Log for new RPC state - UUID values

type: keyword

Time passed since start time.

type: keyword

Number of packets, received by the client.

type: keyword

UUID generated for the capture. Used when enabling the capture when logging.

type: keyword

The ID of diameter application.

type: integer

Diameter not allowed application command id.

type: integer

Diameter message type.

type: keyword

Used to log a general message.

type: integer

Time left before deleting template.

type: integer

In case of a malicious event on an endpoint computer, the status of the attack.

type: keyword

In case of an infection on an endpoint computer, the list of files that the malware impacted.

type: keyword

In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.

type: keyword

The name of the mechanism that triggered the Software Blade to enforce a protection.

type: keyword

ID of the matched rule.

type: keyword

Name of the matched rule.

type: keyword

List of all found categories.

type: keyword

Precise error, describing HTTPS inspection failure.

type: keyword

HTTPS inspection action (Inspect/Bypass/Error).

type: keyword

Service ID, can work with multiple servers, treated as services.

type: integer

Server name.

type: keyword

Internal error, for troubleshooting

type: keyword

Free text for verdict.

type: integer

ICAP reply status code, e.g. 200 or 204.

type: integer

Service name, as given in the ICAP URI

type: keyword

Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).

type: keyword

Designated interface for mirror And decrypt.

type: keyword

HTTP session-id.

type: keyword

IP address of the broker publisher who shared the session information.

type: ip

User distinguished name connected to source IP.

type: keyword

User name connected to proxy IP.

type: keyword

Machine name connected to proxy IP.

type: integer

User distinguished name connected to proxy IP.

type: keyword

DNS query.

type: keyword

DNS query.

type: keyword

Blade element performed inspection.

type: keyword

Protection performance impact.

type: integer

Inspection category: protocol anomaly, signature etc.

type: keyword

Profile which the activated protection belongs to.

type: keyword

Summary message of a non-compliant DNS traffic drops or detects.

type: keyword

List of question records domains.

type: keyword

List of answer resource records to the questioned domains.

type: keyword

List of authoritative servers.

type: keyword

List of additional resource records.

type: keyword

List of files requested by FTP.

type: keyword

FTP username.

type: keyword

Sender’s address.

type: keyword

List of receiver address.

type: keyword

List of BCC addresses.

type: keyword

Mail content type. Possible values: application/msword, text/html, image/gif etc.

type: keyword

String identifying requesting software user agent.

type: keyword

Referrer HTTP request header, previous web page address.

type: keyword

Response header, indicates the URL to redirect a page to.

type: keyword

Indicates how the content is expected to be displayed inline in the browser.

type: keyword

Via header is added by proxies for tracking purposes to avoid sending reqests in loop.

type: keyword

Server HTTP header value, contains information about the software used by the origin server, which handles the request.

type: keyword

Indicates the size of the entity-body of the HTTP header.

type: keyword

Authorization HTTP header value.

type: keyword

Domain name of the server that the HTTP request is sent to.

type: keyword

Indicats that the log was released by inspection settings.

type: keyword

Mobile Access application.

type: keyword

Mobile Access application type.

type: keyword

Translated URL.

type: keyword

A reject ID that corresponds to the one presented in the Mobile Access error page.

type: keyword

The file share protocol used in mobile acess file share application.

type: keyword

Unique identifier of the application on the protected mobile device.

type: keyword

Name of application downloaded on the protected mobile device.

type: keyword

Indicates whether the original application was repackage not by the official developer.

type: keyword

Unique SHA identifier of a mobile application.

type: keyword

Version of the application downloaded on the protected mobile device.

type: keyword

Name of the developer’s certificate that was used to sign the mobile application.

type: keyword

Engine name.

type: keyword

Email session id (uniqe ID of the mail).

type: keyword

Postfix email queue id.

type: keyword

Postfix email queue name.

type: keyword

Malicious file name.

type: keyword

MTA failure description.

type: keyword

String containing all the email headers.

type: keyword

Email arrival timestamp.

type: keyword

Describes the email’s state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended

type: keyword

Last time log was updated.

type: keyword

Timestamp of when email was delivered (MTA finished handling the email.

type: keyword

Number of links in the mail.

type: integer

Number of attachments in the mail.

type: integer

Mail contents. Possible options: attachments/links & attachments/links/text only.

type: keyword

Amount of allocated ports.

type: integer

Capacity of the ports.

type: integer

Percentage of allocated ports.

type: integer

4-tuple of an exhausted pool.

type: keyword

NAT rulebase first matched rule.

type: integer

When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.

type: integer

Used for information messages, for example:NAT connection has ended.

type: keyword

NAT 46 status, in most cases "enabled".

type: keyword

TCP connection end time.

type: keyword

Reason for TCP connection closure.

type: keyword

Describes NAT allocation for specific subscriber.

type: keyword

Source IP before CGNAT.

type: ip

Source IP which will be used after CGNAT.

type: ip

Subscriber start int which will be used for NAT.

type: integer

Subscriber end int which will be used for NAT.

type: integer

Amount of packets dropped.

type: integer

Aggregated logs of monitored packets.

type: keyword

Amount of multicast packets dropped.

type: integer

Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.

type: keyword

Connections amount of aggregated log info.

type: integer

IP related to the attack.

type: keyword

Check Point ThreatCloud / emulator name.

type: keyword

System and applications version the file was emulated on.

type: keyword

List of names dropped from the original file.

type: keyword

List of file types dropped from the original file.

type: keyword

List of file hashes dropped from the original file.

type: keyword

List of file verdics dropped from the original file.

type: keyword

Images the files were emulated on.

type: keyword

Types of extracted files in case of an archive.

type: keyword

Names of extracted files in case of an archive.

type: keyword

Archive hash in case of extracted files.

type: keyword

Verdict of extracted files in case of an archive.

type: keyword

UID of extracted files in case of an archive.

type: keyword

The adversary is trying to break into your network.

type: keyword

The adversary is trying to run malicious code.

type: keyword

The adversary is trying to maintain his foothold.

type: keyword

The adversary is trying to gain higher-level permissions.

type: keyword

The adversary is trying to avoid being detected.

type: keyword

The adversary is trying to steal account names and passwords.

type: keyword

The adversary is trying to expose information about your environment.

type: keyword

The adversary is trying to explore your environment.

type: keyword

The adversary is trying to collect data of interest to achieve his goal.

type: keyword

The adversary is trying to communicate with compromised systems in order to control them.

type: keyword

The adversary is trying to steal data.

type: keyword

The adversary is trying to manipulate, interrupt, or destroy your systems and data.

type: keyword

Archive’s hash in case of extracted files.

type: keyword

Archive’s name in case of extracted files.

type: keyword

Archive’s UID in case of extracted files.

type: keyword

Other IoCs similar to the ones found, related to the malicious file.

type: keyword

Hashes found similar to the malicious file.

type: keyword

Strings found similar to the malicious file.

type: keyword

Network action found similar to the malicious file.

type: keyword

Emulators determined file verdict.

type: keyword

Identifier of the packet capture files.

type: keyword

The number of attachments in an email.

type: integer

ID of original file/mail which are sent by admin.

type: keyword

File risk.

type: integer

Operation made by Threat Extraction.

type: keyword

Active content that was found.

type: keyword

Extraction process duration.

type: keyword

File download time from resource.

type: keyword

Threat extraction total file handling time.

type: keyword

The result of the extraction

type: keyword

Reports whether watermark is added to the cleaned file.

type: keyword

The Check Point session ID.

type: keyword

Matched object name on source column.

type: keyword

Matched object name on destination column.

type: keyword

Drop reason description.

type: keyword

Number of hits on a rule.

type: integer

Layer number.

type: integer

First hit time in current interval.

type: integer

Last hit time in current interval.

type: integer

Information sent when old connections cannot be matched during policy installation.

type: keyword

Connection rematched time.

type: keyword

Connection drop reason.

type: integer

Connection drop reason message.

type: keyword

Boolean value indicates whether bytes sent from the client side are used.

type: integer

Serial number of the log for a specific connection.

type: integer

Private key of the rule

type: integer

Alert level of matched rule (for connection logs).

type: keyword

Parent rule number, in case of inline layer.

type: integer

Rule number.

type: integer

Number of outgoing bytes dropped when using UP-limit feature.

type: integer

Number of incoming bytes dropped when using UP-limit feature.

type: integer

Media used (audio, video, etc.)

type: keyword

Explains why source_ip isn’t allowed to redirect (handover).

type: keyword

Registration request.

type: keyword

Registered IP-Phones.

type: keyword

Registered IP-Phone type.

type: keyword

Call-ID.

type: keyword

Registration port.

type: integer

Registration IP protocol.

type: integer

Registration period.

type: integer

VoIP log types. Possible values: reject, call, registration.

type: keyword

Source IP-Phone.

type: keyword

Source IP-Phone type.

type: keyword

Destination IP-Phone.

type: keyword

Destination IP-Phone type.

type: keyword

Call direction: in/out.

type: keyword

Call state. Possible values: in/out.

type: keyword

Call termination time stamp.

type: keyword

Call duration (seconds).

type: keyword

Media int.

type: keyword

Media IP protocol.

type: keyword

Estimated codec.

type: keyword

Expiration.

type: integer

Attachment size.

type: integer

Attachment action Info.

type: keyword

Estimated codec.

type: keyword

Reject reason.

type: keyword

Information.

type: keyword

Configuration.

type: keyword

Registrar server IP address.

type: ip

Username whose packets are dropped on SCV.

type: keyword

Drop reason.

type: keyword

Authentication status.

type: keyword

Describes the scheme used for the log.

type: keyword

Password authentication protocol used (PAP or EAP).

type: keyword

The authentication status for an event.

type: keyword

L2TP machine which triggered the log and the log refers to it.

type: keyword

L2TP /IKE / Link Selection.

type: keyword

Authentication failure reason.

type: keyword

IP address response status.

type: keyword

IP address which the client connects to.

type: keyword

Main IP of the peer Security Gateway.

type: ip

IP address response status.

type: keyword

External Interface name for source interface or Null if not found.

type: keyword

Next hop IP address.

type: keyword

Initiator Spi ID.

type: keyword

Responder Spi ID.

type: keyword

Message indicating why the encryption failed.

type: keyword

All QM ids.

type: keyword

Community name for the IPSec key and the use of the IKEv.

type: keyword

IKEMode (PHASE1, PHASE2, etc..).

type: keyword

Initiator cookie.

type: keyword

Responder cookie.

type: keyword

Message ID.

type: keyword

IPSEc methods.

type: keyword

Calculation of md5 of the IP and user name as UID.

type: keyword

Site name.

type: keyword

Unknown rule name.

type: keyword

Unknown rule action.

type: keyword

Unknown rule type.

type: keyword

Non-compliance reason.

type: keyword

Associated policies.

type: keyword

Spyware name.

type: keyword

Spyware type.

type: keyword

Anti virus type.

type: keyword

End user firewall type.

type: keyword

Scan failed.

type: keyword

Access denied.

type: keyword

Endpoint Connect.

type: keyword

HTTP parser error.

type: keyword

HTTP method.

type: keyword

In case of phishing event, the domain, which the attacker was impersonating.

type: keyword

type: keyword

Connection direction

type: keyword

Database version

type: keyword

Status of database update

type: keyword