V 2.0 : Anti Malware Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Anti Malware Events | Base Rule | Detected Malware Activity | Malware |
| V 2.0 : Anti Malware Events : Malware Detected | Sub Rule | Detected Malware Activity | Malware |
| V 2.0 : Anti Malware Events : Malware Prevented | Sub Rule | Failed Malware Activity | Failed Malware |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Product | <vmid> | Text/String | Product name |
| Originip | N/A | N/A | IP of the log origin |
| origin | N/A | N/A | Name of the first Security Gateway that reported this event |
| Action | <action> <tag1> | Text/String | Description of detected malware activity |
| SIP | <sip> | IP address | Source IP |
| SPort | <sport> | Number | Source host port number |
| DIP | <dip> | IP address | Destination IP |
| dport | <dport> | Number | Destination host port number |
| src_machine_name | <sname> | Text/String | Machine name connected to source IP |
| protocol | <protnum> | Number | Protocol detected on the connection |
| ifname | <sinterface> | Text/String | The name of the Security Gateway interface, through which a connection traverses |
| ifdirection | N/A | N/A | Connection direction |
| User | N/A | N/A | Source user name |
| src_user_name | <login> | Text/String | User name connected to source IP |
| proxy_src_ip | <snatip> | IP address | Sender source IP (even when using proxy) |
| Url | <url> | Text/String | Matched URL |
| web_client_type | <useragent> | Text/String | Web client detected in the HTTP request (e.g: Chrome) |
| sent_bytes | <bytesin> | Number | Number of bytes sent during the connection |
| received_bytes | <bytesout> | Number | Number of bytes received during connection |
| session_id | N/A | N/A | Log UID |
| name | N/A | N/A | Application name |
| malware_family | N/A | N/A | Additional information on protection |
| Source_OS | N/A | N/A | OS which generated the attack |
| Confidence_Level | N/A | N/A | Confidence level determined by ThreatCloud Possible values: 0 - N/A 1- Low 2- Medium-Low 3 - Medium 4 - Medium-High 5 - High |
| Severity | <severity> | Number | Threat severity determined by ThreatCloud Possible values: 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical |
| malware_action | <vendorinfo> | Text/String | Description of detected malware activity |
| rule_name | N/A | N/A | Access rule name |
| Protection_Type | N/A | N/A | Type of protection used to detect the attack |
| Protection_name | <threatname> | Text/String | Specific signature name of the attack |
| special_properties | N/A | N/A | If this field is set to "1" the log will not be shown (in use for monitoring scan progress) |
| status | <status> | Text/String | N/A |
| scan_mail | N/A | N/A | Number of emails that were scanned by "AB malicious activity" engine |
| Dst_DNS_Host | <domainimpacted> | Text/String | N/A |
| action_details | N/A | N/A | N/A |
| description | N/A | N/A | Additional explanation how the security gateway enforced the connection |
| Reason | <reason> | Text/String | Description of log's reason |
| Attack | N/A | N/A | N/A |
| virus_name | N/A | N/A | N/A |
| AttackInfo | N/A | N/A | N/A |
| short_desc | N/A | N/A | Short description of the process that was executed |
| time | N/A | N/A | The time stamp when the log was created |
| scope_ip | N/A | N/A | N/A |
| update_status | N/A | N/A | N/A |
| alert | N/A | N/A | N/A |
| rule_uid | N/A | N/A | Access policy rule ID on which the connection was matched |
| information | N/A | N/A | Policy installation status for a specific blade (used only for Anti-Bot and Anti-Virus) |
| flags | N/A | N/A | Checkpoint internal field |
| loguid | N/A | N/A | UUID of unified logs |
| sequencenum | N/A | N/A | Number added to order logs with the same Linux timestamp and origin |
| version | N/A | N/A | N/A |
| contract_name | N/A | N/A | N/A |
| db_ver | N/A | N/A | N/A |
| __policy_id_tag | <policy> | Text/String | N/A |
| dst_country | N/A | N/A | Destination country |
| log_id | N/A | N/A | Unique identity for logs includes: Type, Family, Product/Blade, Category |
| malware_rule_id | N/A | N/A | Threat prevention rule ID |
| malware_rule_name | N/A | N/A | Threat prevention rule name |
| origin_sic_name | N/A | N/A | Machine SIC |
| protection_id | N/A | N/A | Protection malware ID |
| vendor_list | N/A | N/A | The vendor name that provided the verdict for a malicious URL |
| long_desc | N/A | N/A | More information on the process (usually describing error reason in failure) |
| scan_hosts_day | N/A | N/A | Number of unique hosts during the last day |
| scan_hosts_hour | N/A | N/A | Number of unique hosts during the last hour |
| scan_hosts_week | N/A | N/A | Number of unique hosts during the last week |
| unique_detected_day | N/A | N/A | Detected virus for a specific host during the last day |
| unique_detected_hour | N/A | N/A | Detected virus for a specific host during the last hour |
| unique_detected_week | N/A | N/A | Detected virus for a specific host during the last week |
| next_update_desc | N/A | N/A | N/A |