Anti Malware

Vendor Documentation

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192

Classification

Rule Name	Rule Type	Common Event	Classification
Anti Malware	Base Rule	General Threat Protection Event	Activity
Anti-Malware : Traffic Rejected	Sub Rule	Threat Blocked	Failed Activity
Anti-Malware : Control Traffic	Sub Rule	General Threat Message	Activity
Anti-Malware : Traffic Dropped	Sub Rule	Threat Blocked	Failed Activity
Anti-Malware : Traffic Allowed	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
Anti-Malware : Traffic Blocked	Sub Rule	Threat Blocked	Failed Activity
Anti-Malware : Activity Detected	Sub Rule	Possible Malware Activity	Malware

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type
Product	<version>	Number/Text
Origin	<sender>	Number/Text
Action	<action>	Number/Text
Action	<tag1>	Number/Text
SIP	<sip>	Number/Text
SPort	<sport>	Number
DIP	<dip>	Number
DPort	<dport>	Number
src_machine_name	<sname>	Number/Text
protocol	<protname>	Number/Text
ifname	<sinterface>	Number/Text
ifdirection	<tag2>	Number/Text
User	<login>	Number/Text
src_user_name	<login>	Number/Text
Url	<url>	Number/Text
web_client_type	<useragent>	Number/Text
sent_bytes	<bytesout>	Number
received_bytes	<bytesin>	Number
session_id	<session>	Number/Text
malware_family	<objecttype>	Number/Text
Confidence_Level	<amount>	Number
severity	<severity>	Number
malware_action	<vendorinfo>	Number/Text
rule_name	<command>	Number/Text
Protection_Name	<threatname>	Number/Text
Protection_Name	<object>	Number/Text
status	<status>	Number/Text
Dst_DNS_Host	<dname>	Number/Text
description	<subject>	Number/Text
Reason	<reason>	Number/Text
Attack	<threatname>	Number/Text
Virus_Name	<threatname>	Number/Text
short_desc	<vmid>	Number/Text