Forensics Events 1

Vendor Documentation

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192

Classification

Rule Name	Rule Type	Common Event	Classification
Forensics Events	Base Rule	Vuln Low Severity : Forensics	Vulnerability

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type
Product	<version>	Number/Text
Action	<action>	Number/Text
SIP	<sip>	Number
SPort	<sport>	Number
DIP	<dip>	Number
dport	<dport>	Number
protocol	<protname>	Number/Text
ifname	<sinterface>	Number/Text
ifdirection	<tag1>	Number/Text
Reason	<reason>	Number/Text
Info	<vendorinfo>	Number/Text
XlateSIP	<snatip>	Number/Text
XlateSport	<snatport>	Number/Text
XlateDIP	<dnatip>	Number/Text
XlateDPort	<dnatport>	Number/Text
CN	<login>	Number/Text
matched_category	<subject>	Number/Text
Url	<url>	Number/Text
src_machine_name	<sname>	Number/Text
src_user_name	<login>	Number/Text
Confidence_Level	<amount>	Number/Text
Severity	<severity>	Number/Text
malware_action	<vendorinfo>	Number/Text
Protection_name	<threatname>	Number/Text
Protection_name	<object>	Number/Text
description	<subject>	Text/String
PolicyName	<policy>	Number/Text
file_md5	<hash>	Number/Text
file_name	<objectname>	Number/Text
file_type	<objecttype>	Number/Text
file_size	<bytes>	Number
generalinformation	<vendorinfo>	Number/Text