Skip to main content
Skip table of contents

V 2.0 : Forensics Events

Vendor Documentation


Rule NameRule TypeCommon EventClassification
V 2.0 : Forensics EventsBase RuleGeneral Threat MessageActivity
V 2.0 : Forensics : Detect ActionSub RuleGeneral Threat MessageActivity
V 2.0 : Forensics : Prevent ActionSub RuleThreat BlockedFailed Activity

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
SubproductN/AN/ACan be VPN or non-VPN
Product<vmid>Text/StringProduct name
OriginipN/AN/AIP of the log origin 
originN/AN/AName of the first Security Gateway that reported this event
SIP<sip>IP AddressSource IP
SPort<sport>NumberSource host port number
DIP<dip>IP AddressDestination IP
dport<dport>NumberDestination port
protocol<protnum>NumberProtocol detected on the connection
ifname<sinterface>Text/StringThe name of the Security Gateway interface through which a connection traverses
ifdirectionN/AN/AConnection direction
Reason<reason>Text/StringInformation on the error occurred
RuleN/AN/AMatched rule number
InfoN/AN/ARule information on the blocked diameter CMD
XlateSIP<snatip>IP AddressSource ipv4 after applying NAT
XlateSport<snatport>NumberSource port after applying hide NAT on source IP
XlateDIP<dnatip>IP AddressDestination ipv4 after applying NAT
XlateDPort<dnatport>NumberDestination port after applying NAT
UserN/AN/ASource user name
alertN/AN/AAlert level of matched rule (for connection logs)
icmp_codeN/AN/AIf a connection is ICMP, the ICMP code info will be added to the log
icmp_typeN/AN/AIf a connection is ICMP, the type info will be added to the log
matched_categoryN/AN/AName of matched category
rule_nameN/AN/AAccess rule name
timeN/AN/AThe time stamp when the log was created
src_machine_name<sname>Text/StringMachine name connected to source IP
src_user_name<login>Text/StringUser name connected to source IP
Confidence_LevelN/AN/AConfidence level determined by ThreatCloud
Possible values:
0 - N/A
1 - Low
2 - Medium-Low
3 - Medium
4 - Medium-High
5 - High
Severity<severity>NumberThreat severity determined by ThreatCloud
Possible values:
0 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
malware_action<vendorinfo>Text/StringDescription of detected malware activity
Protection_name<threatname>Text/StringSpecific signature name of the attack
PolicyNameN/AN/AName of the last policy that this Security Gateway fetched
Protection_TypeN/AN/AType of protection used to detect the attack
file_md5<hash>Text/StringFile md5 
file_name<object>Text/StringMalicious file name / Matched file size
file_type<objecttype>Text/StringClassified file type
file_size<size>NumberAttachment file size / Matched file size
client_nameN/AN/AClient Application or Software Blade that detected the event
generalinformationN/AN/AID of original file/mail sent by admin
flagsN/AN/ACheckpoint internal field
loguidN/AN/AUUID of unified logs 
sequencenumN/AN/ANumber added to order logs with the same Linux timestamp and origin
attack_status<status>Text/StringIn case of a malicious event on an endpoint computer, the status of the attack
client_versionN/AN/ABuild version of SandBlast Agent client installed on the computer
file_sha1N/AText/StringFile sha1
file_sha256N/AText/StringFile sha256
impacted_filesN/AN/AIn case of an infection on an endpoint computer, the list of files that the malware impacted
installed_productsN/AN/AList of installed Endpoint Software Blades
local_timeN/AN/ALocal time on the endpoint computer
os_nameN/AN/AName of the OS installed on the source endpoint computer
os_versionN/AN/ABuild version of the OS installed on the source endpoint computer
packet_capture_unique_idN/AN/AIdentifier of the packet capture files
product_familyN/AN/AThe product family the blade/product belongs to 
Possible values:
0 - Network
1 - Endpoint
2 - Access
3 - Threat
4 - Mobile
remediated_filesN/AN/AIn case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.