Checkpoint fields

Some checkpoint module

checkpoint

Module for parsing Checkpoint syslog.

checkpoint.confidence_level

Confidence level determined by ThreatCloud.

type: integer

checkpoint.calc_desc

Log description.

type: keyword

checkpoint.dst_country

Destination country.

type: keyword

checkpoint.dst_user_name

Connected user name on the destination IP.

type: keyword

checkpoint.email_id

Email number in smtp connection.

type: keyword

checkpoint.email_subject

Original email subject.

type: keyword

checkpoint.email_session_id

Connection uuid.

type: keyword

checkpoint.event_count

Number of events associated with the log.

type: long

checkpoint.sys_message

System messages

type: keyword

checkpoint.logid

System messages

type: keyword

checkpoint.failure_impact

The impact of update service failure.

type: keyword

checkpoint.id

Override application ID.

type: integer

checkpoint.identity_src

The source for authentication identity information.

type: keyword

checkpoint.information

Policy installation status for a specific blade.

type: keyword

checkpoint.layer_name

Layer name.

type: keyword

checkpoint.layer_uuid

Layer UUID.

type: keyword

checkpoint.log_id

Unique identity for logs.

type: integer

checkpoint.malware_family

Additional information on protection.

type: keyword

checkpoint.origin_sic_name

Machine SIC.

type: keyword

checkpoint.policy_mgmt

Name of the Management Server that manages this Security Gateway.

type: keyword

checkpoint.policy_name

Name of the last policy that this Security Gateway fetched.

type: keyword

checkpoint.protection_id

Protection malware id.

type: keyword

checkpoint.protection_name

Specific signature name of the attack.

type: keyword

checkpoint.protection_type

Type of protection used to detect the attack.

type: keyword

checkpoint.protocol

Protocol detected on the connection.

type: keyword

checkpoint.proxy_src_ip

Sender source IP (even when using proxy).

type: ip

checkpoint.rule

Matched rule number.

type: integer

checkpoint.rule_action

Action of the matched rule in the access policy.

type: keyword

checkpoint.scan_direction

Scan direction.

type: keyword

checkpoint.session_id

Log uuid.

type: keyword

checkpoint.source_os

OS which generated the attack.

type: keyword

checkpoint.src_country

Country name, derived from connection source IP address.

type: keyword

checkpoint.src_user_name

User name connected to source IP

type: keyword

checkpoint.ticket_id

Unique ID per file.

type: keyword

checkpoint.tls_server_host_name

SNI/CN from encrypted TLS connection used by URLF for categorization.

type: keyword

checkpoint.verdict

TE engine verdict Possible values: Malicious/Benign/Error.

type: keyword

checkpoint.user

Source user name.

type: keyword

checkpoint.vendor_list

The vendor name that provided the verdict for a malicious URL.

type: keyword

checkpoint.web_server_type

Web server detected in the HTTP response.

type: keyword

checkpoint.client_name

Client Application or Software Blade that detected the event.

type: keyword

checkpoint.client_version

Build version of SandBlast Agent client installed on the computer.

type: keyword

checkpoint.extension_version

Build version of the SandBlast Agent browser extension.

type: keyword

checkpoint.host_time

Local time on the endpoint computer.

type: keyword

checkpoint.installed_products

List of installed Endpoint Software Blades.

type: keyword

checkpoint.cc

The Carbon Copy address of the email.

type: keyword

checkpoint.parent_process_username

Owner username of the parent process of the process that triggered the attack.

type: keyword

checkpoint.process_username

Owner username of the process that triggered the attack.

type: keyword

checkpoint.audit_status

Audit Status. Can be Success or Failure.

type: keyword

checkpoint.objecttable

Table of affected objects.

type: keyword

checkpoint.objecttype

The type of the affected object.

type: keyword

checkpoint.operation_number

The operation nuber.

type: keyword

checkpoint.email_recipients_num

Amount of recipients whom the mail was sent to.

type: integer

checkpoint.suppressed_logs

Aggregated connections for five minutes on the same source, destination and port.

type: integer

checkpoint.blade_name

Blade name.

type: keyword

checkpoint.status

Ok/Warning/Error.

type: keyword

checkpoint.short_desc

Short description of the process that was executed.

type: keyword

checkpoint.long_desc

More information on the process (usually describing error reason in failure).

type: keyword

checkpoint.scan_hosts_hour

Number of unique hosts during the last hour.

type: integer

checkpoint.scan_hosts_day

Number of unique hosts during the last day.

type: integer

checkpoint.scan_hosts_week

Number of unique hosts during the last week.

type: integer

checkpoint.unique_detected_hour

Detected virus for a specific host during the last hour.

type: integer

checkpoint.unique_detected_day

Detected virus for a specific host during the last day.

type: integer

checkpoint.unique_detected_week

Detected virus for a specific host during the last week.

type: integer

checkpoint.scan_mail

Number of emails that were scanned by "AB malicious activity" engine.

type: integer

checkpoint.additional_ip

DNS host name.

type: keyword

checkpoint.description

Additional explanation how the security gateway enforced the connection.

type: keyword

checkpoint.email_spam_category

Email categories. Possible values: spam/not spam/phishing.

type: keyword

checkpoint.email_control_analysis

Message classification, received from spam vendor engine.

type: keyword

checkpoint.scan_results

"Infected"/description of a failure.

type: keyword

checkpoint.original_queue_id

Original postfix email queue id.

type: keyword

checkpoint.risk

Risk level we got from the engine.

type: keyword

checkpoint.roles

The role of identity.

type: keyword

checkpoint.observable_name

IOC observable signature name.

type: keyword

checkpoint.observable_id

IOC observable signature id.

type: keyword

checkpoint.observable_comment

IOC observable signature description.

type: keyword

checkpoint.indicator_name

IOC indicator name.

type: keyword

checkpoint.indicator_description

IOC indicator description.

type: keyword

checkpoint.indicator_reference

IOC indicator reference.

type: keyword

checkpoint.indicator_uuid

IOC indicator uuid.

type: keyword

checkpoint.app_desc

Application description.

type: keyword

checkpoint.app_id

Application ID.

type: integer

checkpoint.app_sig_id

IOC indicator description.

type: keyword

checkpoint.certificate_resource

HTTPS resource Possible values: SNI or domain name (DN).

type: keyword

checkpoint.certificate_validation

Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.

type: keyword

checkpoint.browse_time

Application session browse time.

type: keyword

checkpoint.limit_requested

Indicates whether data limit was requested for the session.

type: integer

checkpoint.limit_applied

Indicates whether the session was actually date limited.

type: integer

checkpoint.dropped_total

Amount of dropped packets (both incoming and outgoing).

type: integer

checkpoint.client_type_os

Client OS detected in the HTTP request.

type: keyword

checkpoint.name

Application name.

type: keyword

checkpoint.properties

Application categories.

type: keyword

checkpoint.sig_id

Application’s signature ID which how it was detected by.

type: keyword

checkpoint.desc

Override application description.

type: keyword

checkpoint.referrer_self_uid

UUID of the current log.

type: keyword

checkpoint.referrer_parent_uid

Log UUID of the referring application.

type: keyword

checkpoint.needs_browse_time

Browse time required for the connection.

type: integer

checkpoint.cluster_info

Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.

type: keyword

checkpoint.sync

Sync status and the reason (stable, at risk).

type: keyword

checkpoint.file_direction

File direction. Possible options: upload/download.

type: keyword

checkpoint.invalid_file_size

File_size field is valid only if this field is set to 0.

type: integer

checkpoint.top_archive_file_name

In case of archive file: the file that was sent/received.

type: keyword

checkpoint.data_type_name

Data type in rulebase that was matched.

type: keyword

checkpoint.specific_data_type_name

Compound/Group scenario, data type that was matched.

type: keyword

checkpoint.word_list

Words matched by data type.

type: keyword

checkpoint.info

Special log message.

type: keyword

checkpoint.outgoing_url

URL related to this log (for HTTP).

type: keyword

checkpoint.dlp_rule_name

Matched rule name.

type: keyword

checkpoint.dlp_recipients

Mail recipients.

type: keyword

checkpoint.dlp_subject

Mail subject.

type: keyword

checkpoint.dlp_word_list

Phrases matched by data type.

type: keyword

checkpoint.dlp_template_score

Template data type match score.

type: keyword

checkpoint.message_size

Mail/post size.

type: integer

checkpoint.dlp_incident_uid

Unique ID of the matched rule.

type: keyword

checkpoint.dlp_related_incident_uid

Other ID related to this one.

type: keyword

checkpoint.dlp_data_type_name

Matched data type.

type: keyword

checkpoint.dlp_data_type_uid

Unique ID of the matched data type.

type: keyword

checkpoint.dlp_violation_description

Violation descriptions described in the rulebase.

type: keyword

checkpoint.dlp_relevant_data_types

In case of Compound/Group: the inner data types that were matched.

type: keyword

checkpoint.dlp_action_reason

Action chosen reason.

type: keyword

checkpoint.dlp_categories

Data type category.

type: keyword

checkpoint.dlp_transint

HTTP/SMTP/FTP.

type: keyword

checkpoint.duplicate

Log marked as duplicated, when mail is split and the Security Gateway sees it twice.

type: keyword

checkpoint.incident_extension

Matched data type.

type: keyword

checkpoint.matched_file

Unique ID of the matched data type.

type: keyword

checkpoint.matched_file_text_segments

Fingerprint: number of text segments matched by this traffic.

type: integer

checkpoint.matched_file_percentage

Fingerprint: match percentage of the traffic.

type: integer

checkpoint.dlp_additional_action

Watermark/None.

type: keyword

checkpoint.dlp_watermark_profile

Watermark which was applied.

type: keyword

checkpoint.dlp_repository_id

ID of scanned repository.

type: keyword

checkpoint.dlp_repository_root_path

Repository path.

type: keyword

checkpoint.scan_id

Sequential number of scan.

type: keyword

checkpoint.special_properties

If this field is set to 1 the log will not be shown (in use for monitoring scan progress).

type: integer

checkpoint.dlp_repository_total_size

Repository size.

type: integer

checkpoint.dlp_repository_files_number

Number of files in repository.

type: integer

checkpoint.dlp_repository_scanned_files_number

Number of scanned files in repository.

type: integer

checkpoint.duration

Scan duration.

type: keyword

checkpoint.dlp_fingerprint_long_status

Scan status - long format.

type: keyword

checkpoint.dlp_fingerprint_short_status

Scan status - short format.

type: keyword

checkpoint.dlp_repository_directories_number

Number of directories in repository.

type: integer

checkpoint.dlp_repository_unreachable_directories_number

Number of directories the Security Gateway was unable to read.

type: integer

checkpoint.dlp_fingerprint_files_number

Number of successfully scanned files in repository.

type: integer

checkpoint.dlp_repository_skipped_files_number

Skipped number of files because of configuration.

type: integer

checkpoint.dlp_repository_scanned_directories_number

Amount of directories scanned.

type: integer

checkpoint.number_of_errors

Number of files that were not scanned due to an error.

type: integer

checkpoint.next_scheduled_scan_date

Next scan scheduled time according to time object.

type: keyword

checkpoint.dlp_repository_scanned_total_size

Size scanned.

type: integer

checkpoint.dlp_repository_reached_directories_number

Number of scanned directories in repository.

type: integer

checkpoint.dlp_repository_not_scanned_directories_percentage

Percentage of directories the Security Gateway was unable to read.

type: integer

checkpoint.speed

Current scan speed.

type: integer

checkpoint.dlp_repository_scan_progress

Scan percentage.

type: integer

checkpoint.sub_policy_name

Layer name.

type: keyword

checkpoint.sub_policy_uid

Layer uid.

type: keyword

checkpoint.fw_message

Used for various firewall errors.

type: keyword

checkpoint.message

ISP link has failed.

type: keyword

checkpoint.isp_link

Name of ISP link.

type: keyword

checkpoint.fw_subproduct

Can be vpn/non vpn.

type: keyword

checkpoint.sctp_error

Error information, what caused sctp to fail on out_of_state.

type: keyword

checkpoint.chunk_type

Chunck of the sctp stream.

type: keyword

checkpoint.sctp_association_state

The bad state you were trying to update to.

type: keyword

checkpoint.tcp_packet_out_of_state

State violation.

type: keyword

checkpoint.tcp_flags

TCP packet flags (SYN, ACK, etc.,).

type: keyword

checkpoint.connectivity_level

Log for a new connection in wire mode.

type: keyword

checkpoint.ip_option

IP option that was dropped.

type: integer

checkpoint.tcp_state

Log reinting a tcp state change.

type: keyword

checkpoint.expire_time

Connection closing time.

type: keyword

checkpoint.icmp_type

In case a connection is ICMP, type info will be added to the log.

type: integer

checkpoint.icmp_code

In case a connection is ICMP, code info will be added to the log.

type: integer

checkpoint.rpc_prog

Log for new RPC state - prog values.

type: integer

checkpoint.dce-rpc_interface_uuid

Log for new RPC state - UUID values

type: keyword

checkpoint.elapsed

Time passed since start time.

type: keyword

checkpoint.icmp

Number of packets, received by the client.

type: keyword

checkpoint.capture_uuid

UUID generated for the capture. Used when enabling the capture when logging.

type: keyword

checkpoint.diameter_app_ID

The ID of diameter application.

type: integer

checkpoint.diameter_cmd_code

Diameter not allowed application command id.

type: integer

checkpoint.diameter_msg_type

Diameter message type.

type: keyword

checkpoint.cp_message

Used to log a general message.

type: integer

checkpoint.log_delay

Time left before deleting template.

type: integer

checkpoint.attack_status

In case of a malicious event on an endpoint computer, the status of the attack.

type: keyword

checkpoint.impacted_files

In case of an infection on an endpoint computer, the list of files that the malware impacted.

type: keyword

checkpoint.remediated_files

In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.

type: keyword

checkpoint.triggered_by

The name of the mechanism that triggered the Software Blade to enforce a protection.

type: keyword

checkpoint.https_inspection_rule_id

ID of the matched rule.

type: keyword

checkpoint.https_inspection_rule_name

Name of the matched rule.

type: keyword

checkpoint.app_properties

List of all found categories.

type: keyword

checkpoint.https_validation

Precise error, describing HTTPS inspection failure.

type: keyword

checkpoint.https_inspection_action

HTTPS inspection action (Inspect/Bypass/Error).

type: keyword

checkpoint.icap_service_id

Service ID, can work with multiple servers, treated as services.

type: integer

checkpoint.icap_server_name

Server name.

type: keyword

checkpoint.internal_error

Internal error, for troubleshooting

type: keyword

checkpoint.icap_more_info

Free text for verdict.

type: integer

checkpoint.reply_status

ICAP reply status code, e.g. 200 or 204.

type: integer

checkpoint.icap_server_service

Service name, as given in the ICAP URI

type: keyword

checkpoint.mirror_and_decrypt_type

Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).

type: keyword

checkpoint.interface_name

Designated interface for mirror And decrypt.

type: keyword

checkpoint.session_uid

HTTP session-id.

type: keyword

checkpoint.broker_publisher

IP address of the broker publisher who shared the session information.

type: ip

checkpoint.src_user_dn

User distinguished name connected to source IP.

type: keyword

checkpoint.proxy_user_name

User name connected to proxy IP.

type: keyword

checkpoint.proxy_machine_name

Machine name connected to proxy IP.

type: integer

checkpoint.proxy_user_dn

User distinguished name connected to proxy IP.

type: keyword

checkpoint.query

DNS query.

type: keyword

checkpoint.dns_query

DNS query.

type: keyword

checkpoint.inspection_item

Blade element performed inspection.

type: keyword

checkpoint.performance_impact

Protection performance impact.

type: integer

checkpoint.inspection_category

Inspection category: protocol anomaly, signature etc.

type: keyword

checkpoint.inspection_profile

Profile which the activated protection belongs to.

type: keyword

checkpoint.summary

Summary message of a non-compliant DNS traffic drops or detects.

type: keyword

checkpoint.question_rdata

List of question records domains.

type: keyword

checkpoint.answer_rdata

List of answer resource records to the questioned domains.

type: keyword

checkpoint.authority_rdata

List of authoritative servers.

type: keyword

checkpoint.additional_rdata

List of additional resource records.

type: keyword

checkpoint.files_names

List of files requested by FTP.

type: keyword

checkpoint.ftp_user

FTP username.

type: keyword

checkpoint.mime_from

Sender’s address.

type: keyword

checkpoint.mime_to

List of receiver address.

type: keyword

checkpoint.bcc

List of BCC addresses.

type: keyword

checkpoint.content_type

Mail content type. Possible values: application/msword, text/html, image/gif etc.

type: keyword

checkpoint.user_agent

String identifying requesting software user agent.

type: keyword

checkpoint.referrer

Referrer HTTP request header, previous web page address.

type: keyword

checkpoint.http_location

Response header, indicates the URL to redirect a page to.

type: keyword

checkpoint.content_disposition

Indicates how the content is expected to be displayed inline in the browser.

type: keyword

checkpoint.via

Via header is added by proxies for tracking purposes to avoid sending reqests in loop.

type: keyword

checkpoint.http_server

Server HTTP header value, contains information about the software used by the origin server, which handles the request.

type: keyword

checkpoint.content_length

Indicates the size of the entity-body of the HTTP header.

type: keyword

checkpoint.authorization

Authorization HTTP header value.

type: keyword

checkpoint.http_host

Domain name of the server that the HTTP request is sent to.

type: keyword

checkpoint.inspection_settings_log

Indicats that the log was released by inspection settings.

type: keyword

checkpoint.cvpn_resource

Mobile Access application.

type: keyword

checkpoint.cvpn_category

Mobile Access application type.

type: keyword

checkpoint.url

Translated URL.

type: keyword

checkpoint.reject_id

A reject ID that corresponds to the one presented in the Mobile Access error page.

type: keyword

checkpoint.fs-proto

The file share protocol used in mobile acess file share application.

type: keyword

checkpoint.app_package

Unique identifier of the application on the protected mobile device.

type: keyword

checkpoint.appi_name

Name of application downloaded on the protected mobile device.

type: keyword

checkpoint.app_repackaged

Indicates whether the original application was repackage not by the official developer.

type: keyword

checkpoint.app_sid_id

Unique SHA identifier of a mobile application.

type: keyword

checkpoint.app_version

Version of the application downloaded on the protected mobile device.

type: keyword

checkpoint.developer_certificate_name

Name of the developer’s certificate that was used to sign the mobile application.

type: keyword

checkpoint.email_control

Engine name.

type: keyword

checkpoint.email_message_id

Email session id (uniqe ID of the mail).

type: keyword

checkpoint.email_queue_id

Postfix email queue id.

type: keyword

checkpoint.email_queue_name

Postfix email queue name.

type: keyword

checkpoint.file_name

Malicious file name.

type: keyword

checkpoint.failure_reason

MTA failure description.

type: keyword

checkpoint.email_headers

String containing all the email headers.

type: keyword

checkpoint.arrival_time

Email arrival timestamp.

type: keyword

checkpoint.email_status

Describes the email’s state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended

type: keyword

checkpoint.status_update

Last time log was updated.

type: keyword

checkpoint.delivery_time

Timestamp of when email was delivered (MTA finished handling the email.

type: keyword

checkpoint.links_num

Number of links in the mail.

type: integer

checkpoint.attachments_num

Number of attachments in the mail.

type: integer

checkpoint.email_content

Mail contents. Possible options: attachments/links & attachments/links/text only.

type: keyword

checkpoint.allocated_ports

Amount of allocated ports.

type: integer

checkpoint.capacity

Capacity of the ports.

type: integer

checkpoint.ports_usage

Percentage of allocated ports.

type: integer

checkpoint.nat_exhausted_pool

4-tuple of an exhausted pool.

type: keyword

checkpoint.nat_rulenum

NAT rulebase first matched rule.

type: integer

checkpoint.nat_addtnl_rulenum

When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.

type: integer

checkpoint.message_info

Used for information messages, for example:NAT connection has ended.

type: keyword

checkpoint.nat46

NAT 46 status, in most cases "enabled".

type: keyword

checkpoint.end_time

TCP connection end time.

type: keyword

checkpoint.tcp_end_reason

Reason for TCP connection closure.

type: keyword

checkpoint.cgnet

Describes NAT allocation for specific subscriber.

type: keyword

checkpoint.subscriber

Source IP before CGNAT.

type: ip

checkpoint.hide_ip

Source IP which will be used after CGNAT.

type: ip

checkpoint.int_start

Subscriber start int which will be used for NAT.

type: integer

checkpoint.int_end

Subscriber end int which will be used for NAT.

type: integer

checkpoint.packet_amount

Amount of packets dropped.

type: integer

checkpoint.monitor_reason

Aggregated logs of monitored packets.

type: keyword

checkpoint.drops_amount

Amount of multicast packets dropped.

type: integer

checkpoint.securexl_message

Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.

type: keyword

checkpoint.conns_amount

Connections amount of aggregated log info.

type: integer

checkpoint.scope

IP related to the attack.

type: keyword

checkpoint.analyzed_on

Check Point ThreatCloud / emulator name.

type: keyword

checkpoint.detected_on

System and applications version the file was emulated on.

type: keyword

checkpoint.dropped_file_name

List of names dropped from the original file.

type: keyword

checkpoint.dropped_file_type

List of file types dropped from the original file.

type: keyword

checkpoint.dropped_file_hash

List of file hashes dropped from the original file.

type: keyword

checkpoint.dropped_file_verdict

List of file verdics dropped from the original file.

type: keyword

checkpoint.emulated_on

Images the files were emulated on.

type: keyword

checkpoint.extracted_file_type

Types of extracted files in case of an archive.

type: keyword

checkpoint.extracted_file_names

Names of extracted files in case of an archive.

type: keyword

checkpoint.extracted_file_hash

Archive hash in case of extracted files.

type: keyword

checkpoint.extracted_file_verdict

Verdict of extracted files in case of an archive.

type: keyword

checkpoint.extracted_file_uid

UID of extracted files in case of an archive.

type: keyword

checkpoint.mitre_initial_access

The adversary is trying to break into your network.

type: keyword

checkpoint.mitre_execution

The adversary is trying to run malicious code.

type: keyword

checkpoint.mitre_persistence

The adversary is trying to maintain his foothold.

type: keyword

checkpoint.mitre_privilege_escalation

The adversary is trying to gain higher-level permissions.

type: keyword

checkpoint.mitre_defense_evasion

The adversary is trying to avoid being detected.

type: keyword

checkpoint.mitre_credential_access

The adversary is trying to steal account names and passwords.

type: keyword

checkpoint.mitre_discovery

The adversary is trying to expose information about your environment.

type: keyword

checkpoint.mitre_lateral_movement

The adversary is trying to explore your environment.

type: keyword

checkpoint.mitre_collection

The adversary is trying to collect data of interest to achieve his goal.

type: keyword

checkpoint.mitre_command_and_control

The adversary is trying to communicate with compromised systems in order to control them.

type: keyword

checkpoint.mitre_exfiltration

The adversary is trying to steal data.

type: keyword

checkpoint.mitre_impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data.

type: keyword

checkpoint.parent_file_hash

Archive’s hash in case of extracted files.

type: keyword

checkpoint.parent_file_name

Archive’s name in case of extracted files.

type: keyword

checkpoint.parent_file_uid

Archive’s UID in case of extracted files.

type: keyword

checkpoint.similiar_iocs

Other IoCs similar to the ones found, related to the malicious file.

type: keyword

checkpoint.similar_hashes

Hashes found similar to the malicious file.

type: keyword

checkpoint.similar_strings

Strings found similar to the malicious file.

type: keyword

checkpoint.similar_communication

Network action found similar to the malicious file.

type: keyword

checkpoint.te_verdict_determined_by

Emulators determined file verdict.

type: keyword

checkpoint.packet_capture_unique_id

Identifier of the packet capture files.

type: keyword

checkpoint.total_attachments

The number of attachments in an email.

type: integer

checkpoint.additional_info

ID of original file/mail which are sent by admin.

type: keyword

checkpoint.content_risk

File risk.

type: integer

checkpoint.operation

Operation made by Threat Extraction.

type: keyword

checkpoint.scrubbed_content

Active content that was found.

type: keyword

checkpoint.scrub_time

Extraction process duration.

type: keyword

checkpoint.scrub_download_time

File download time from resource.

type: keyword

checkpoint.scrub_total_time

Threat extraction total file handling time.

type: keyword

checkpoint.scrub_activity

The result of the extraction

type: keyword

checkpoint.watermark

Reports whether watermark is added to the cleaned file.

type: keyword

checkpoint.snid

The Check Point session ID.

type: keyword

checkpoint.source_object

Matched object name on source column.

type: keyword

checkpoint.destination_object

Matched object name on destination column.

type: keyword

checkpoint.drop_reason

Drop reason description.

type: keyword

checkpoint.hit

Number of hits on a rule.

type: integer

checkpoint.rulebase_id

Layer number.

type: integer

checkpoint.first_hit_time

First hit time in current interval.

type: integer

checkpoint.last_hit_time

Last hit time in current interval.

type: integer

checkpoint.rematch_info

Information sent when old connections cannot be matched during policy installation.

type: keyword

checkpoint.last_rematch_time

Connection rematched time.

type: keyword

checkpoint.action_reason

Connection drop reason.

type: integer

checkpoint.action_reason_msg

Connection drop reason message.

type: keyword

checkpoint.c_bytes

Boolean value indicates whether bytes sent from the client side are used.

type: integer

checkpoint.context_num

Serial number of the log for a specific connection.

type: integer

checkpoint.match_id

Private key of the rule

type: integer

checkpoint.alert

Alert level of matched rule (for connection logs).

type: keyword

checkpoint.parent_rule

Parent rule number, in case of inline layer.

type: integer

checkpoint.match_fk

Rule number.

type: integer

checkpoint.dropped_outgoing

Number of outgoing bytes dropped when using UP-limit feature.

type: integer

checkpoint.dropped_incoming

Number of incoming bytes dropped when using UP-limit feature.

type: integer

checkpoint.media_type

Media used (audio, video, etc.)

type: keyword

checkpoint.sip_reason

Explains why source_ip isn’t allowed to redirect (handover).

type: keyword

checkpoint.voip_method

Registration request.

type: keyword

checkpoint.registered_ip-phones

Registered IP-Phones.

type: keyword

checkpoint.voip_reg_user_type

Registered IP-Phone type.

type: keyword

checkpoint.voip_call_id

Call-ID.

type: keyword

checkpoint.voip_reg_int

Registration port.

type: integer

checkpoint.voip_reg_ipp

Registration IP protocol.

type: integer

checkpoint.voip_reg_period

Registration period.

type: integer

checkpoint.voip_log_type

VoIP log types. Possible values: reject, call, registration.

type: keyword

checkpoint.src_phone_number

Source IP-Phone.

type: keyword

checkpoint.voip_from_user_type

Source IP-Phone type.

type: keyword

checkpoint.dst_phone_number

Destination IP-Phone.

type: keyword

checkpoint.voip_to_user_type

Destination IP-Phone type.

type: keyword

checkpoint.voip_call_dir

Call direction: in/out.

type: keyword

checkpoint.voip_call_state

Call state. Possible values: in/out.

type: keyword

checkpoint.voip_call_term_time

Call termination time stamp.

type: keyword

checkpoint.voip_duration

Call duration (seconds).

type: keyword

checkpoint.voip_media_port

Media int.

type: keyword

checkpoint.voip_media_ipp

Media IP protocol.

type: keyword

checkpoint.voip_est_codec

Estimated codec.

type: keyword

checkpoint.voip_exp

Expiration.

type: integer

checkpoint.voip_attach_sz

Attachment size.

type: integer

checkpoint.voip_attach_action_info

Attachment action Info.

type: keyword

checkpoint.voip_media_codec

Estimated codec.

type: keyword

checkpoint.voip_reject_reason

Reject reason.

type: keyword

checkpoint.voip_reason_info

Information.

type: keyword

checkpoint.voip_config

Configuration.

type: keyword

checkpoint.voip_reg_server

Registrar server IP address.

type: ip

checkpoint.scv_user

Username whose packets are dropped on SCV.

type: keyword

checkpoint.scv_message_info

Drop reason.

type: keyword

checkpoint.ppp

Authentication status.

type: keyword

checkpoint.scheme

Describes the scheme used for the log.

type: keyword

checkpoint.auth_method

Password authentication protocol used (PAP or EAP).

type: keyword

checkpoint.auth_status

The authentication status for an event.

type: keyword

checkpoint.machine

L2TP machine which triggered the log and the log refers to it.

type: keyword

checkpoint.vpn_feature_name

L2TP /IKE / Link Selection.

type: keyword

checkpoint.reject_category

Authentication failure reason.

type: keyword

checkpoint.peer_ip_probing_status_update

IP address response status.

type: keyword

checkpoint.peer_ip

IP address which the client connects to.

type: keyword

checkpoint.peer_gateway

Main IP of the peer Security Gateway.

type: ip

checkpoint.link_probing_status_update

IP address response status.

type: keyword

checkpoint.source_interface

External Interface name for source interface or Null if not found.

type: keyword

checkpoint.next_hop_ip

Next hop IP address.

type: keyword

checkpoint.srckeyid

Initiator Spi ID.

type: keyword

checkpoint.dstkeyid

Responder Spi ID.

type: keyword

checkpoint.encryption_failure

Message indicating why the encryption failed.

type: keyword

checkpoint.ike_ids

All QM ids.

type: keyword

checkpoint.community

Community name for the IPSec key and the use of the IKEv.

type: keyword

checkpoint.ike

IKEMode (PHASE1, PHASE2, etc..).

type: keyword

checkpoint.cookieI

Initiator cookie.

type: keyword

checkpoint.cookieR

Responder cookie.

type: keyword

checkpoint.msgid

Message ID.

type: keyword

checkpoint.methods

IPSEc methods.

type: keyword

checkpoint.connection_uid

Calculation of md5 of the IP and user name as UID.

type: keyword

checkpoint.site_name

Site name.

type: keyword

checkpoint.esod_rule_name

Unknown rule name.

type: keyword

checkpoint.esod_rule_action

Unknown rule action.

type: keyword

checkpoint.esod_rule_type

Unknown rule type.

type: keyword

checkpoint.esod_noncompliance_reason

Non-compliance reason.

type: keyword

checkpoint.esod_associated_policies

Associated policies.

type: keyword

checkpoint.spyware_name

Spyware name.

type: keyword

checkpoint.spyware_type

Spyware type.

type: keyword

checkpoint.anti_virus_type

Anti virus type.

type: keyword

checkpoint.end_user_firewall_type

End user firewall type.

type: keyword

checkpoint.esod_scan_status

Scan failed.

type: keyword

checkpoint.esod_access_status

Access denied.

type: keyword

checkpoint.client_type

Endpoint Connect.

type: keyword

checkpoint.precise_error

HTTP parser error.

type: keyword

checkpoint.method

HTTP method.

type: keyword

checkpoint.trusted_domain

In case of phishing event, the domain, which the attacker was impersonating.

type: keyword

checkpoint.comment

type: keyword

checkpoint.conn_direction

Connection direction

type: keyword

checkpoint.db_ver

Database version

type: keyword

checkpoint.update_status

Status of database update

type: keyword