V 2.0 : New Anti-Virus Events

Vendor Documentation

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : New Anti-Virus Events	Base Rule	Detected Virus Activity	Malware

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
subproduct	N/A	N/A	N/A
product	<vmid>	Text/String	Product name
Originip	N/A	N/A	IP of the log origin
origin	N/A	N/A	Name of the first Security Gateway that reported this event
Action	<action>	Text/String	N/A
ifdirection	N/A	N/A	N/A
SIP	<sip>	IP Address	Source IP
SPort	<sport>	Number	Source host port number
DIP	<dip>	IP Address	Destination IP
dport	<dport>	Number	N/A
protocol	<protnum>	Number	Protocol detected on the connection
src_machine_name	<sname>	Text/String	Machine name connected to source IP
dst_machine_name	<dname>	Text/String	Machine name connected to destination IP
ifname	<sinterface>	Text/String	The name of the Security Gateway interface through which a connection traverses
proxy_src_ip	<snatip>	IP Address	Sender source IP (even when using proxy)
user	N/A	N/A	Source user name
src_user_name	<login>	Text/String	User name connected to source IP
dst_user_name	<account>	Text/String	Connected user name on the destination IP
Url	<url>	Text/String	N/A
source_os	N/A	N/A	OS which generated the attack
confidence_level	N/A	N/A	Confidence level determined by ThreatCloud Possible values: 0 - N/A 1 - Low 2 - Medium-Low 3 - Medium 4 - Medium-High 5 - High
severity	<severity>	Number	Threat severity determined by ThreatCloud Possible values: 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical
to	<recipient>	Text/String	Source mail recipient
from	<sender>	Text/String	Source mail address
sent_bytes	<bytesin>	Number	Number of bytes sent during the connection
received_bytes	<bytesout>	Number	Number of bytes received during connection
web_client_type	<useragent>	Text/String	Web client detected in the HTTP request (e.g., Chrome)
Dst_DNS_Host	<domainimpacted>	Text/String	Malicious DNS request domain
session_id	N/A	N/A	Log UID
malware_action	<vendorinfo>	Text/String	Description of detected malware activity
protection_name	<threatname>	Text/String	Specific signature name of the attack
action_details	N/A	N/A	N/A
malware_family	N/A	N/A	Additional information on protection
rule_name	N/A	N/A	Access rule name
special_properties	N/A	N/A	N/A
description	<subject>	Text/String	N/A
reason	<reason>	Text/String	Information on the error occurred
file_type	<objecttype>	Text/String	Classified file type
file_name	<object>	Text/String	Malicious file name
scan_result	<result>	Text/String	"Infected"/description of a failure
activity	N/A	N/A	N/A
virus_name	N/A	N/A	N/A
time	N/A	N/A	The time stamp when the log was created
protection_type	N/A	N/A	Type of protection used to detect the attack
scope_ip	N/A	N/A	N/A
alert	N/A	N/A	N/A
rule_uid	N/A	N/A	Access policy rule ID on which the connection was matched
information	N/A	N/A	Policy installation status for a specific blade (used only for Anti-Bot and Anti-Virus)
flags	N/A	N/A	N/A
loguid	N/A	N/A	UUID of unified logs
sequencenum	N/A	N/A	Number added to order logs with the same Linux timestamp and origin
version	N/A	N/A	N/A
__policy_id_tag	<policy>	Text/String	N/A
dst_country	N/A	N/A	Destination country
log_id	N/A	N/A	Unique identity for logs includes: Type, Family, Product/Blade, or Category
malware_rule_id	N/A	N/A	Threat prevention rule ID
malware_rule_name	N/A	N/A	Threat prevention rule name
origin_sic_name	N/A	N/A	Machine SIC
protection_id	<threatid>	Text/String	Protection malware ID
vendor_list	N/A	N/A	The vendor name that provided the verdict for a malicious URL