V 2.0 : Smart Defense Events

Vendor Documentation

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Smart Defense Events	Base Rule	General Threat Message	Activity
V 2.0 : SmartDefense : Accept Action	Sub Rule	General Attack Activity	Attack
V 2.0 : SmartDefense : Detect Action	Sub Rule	General Attack Activity	Attack
V 2.0 : SmartDefense : Drop Action	Sub Rule	Threat Blocked	Failed Activity
V 2.0 : Adobe Reader Violation : Monitor	Sub Rule	Adobe Reader Violation	Activity
V 2.0 : Apache Server Protection Violation : Drop	Sub Rule	Failed General Attack Activity	Failed Attack
V 2.0 : Apache Srvr Protection Violation : Monitor	Sub Rule	Apache Web Server Message	Information
V 2.0 : Audio Connection Attempt : Monitor	Sub Rule	Connection Attempt	Network Traffic
V 2.0 : Block HTTP Non-Compliant : Monitor	Sub Rule	Noncompliant Attributes	Warning
V 2.0 : Block HTTP Non Compliant : Reject	Sub Rule	Blocked Non-Compliant HTTP Format	Activity
V 2.0 : Block Non HTTP Traffic : Monitor	Sub Rule	General Network Traffic	Network Traffic
V 2.0 : Content Protection Violation : Monitor	Sub Rule	Security Policy Violation	Warning
V 2.0 : Content Protection Violation : Drop	Sub Rule	General Failed Activity	Failed Activity
V 2.0 : DNS Reserved Header Bit : Monitor	Sub Rule	Protocol Anomaly	Attack
V 2.0 : DNS Reserved Header Bit : Drop	Sub Rule	Failed Protocol Anomaly	Failed Attack
V 2.0 : Geo-location Enforcement : Monitor	Sub Rule	Geo-Location Enforcement	Other Operations
V 2.0 : Geo-location Enforcement : Drop	Sub Rule	Failed General Attack Activity	Failed Attack
V 2.0 : HTTP Protocol Inspection : Monitor	Sub Rule	HTTP Message Violates Inspection Rule	Information
V 2.0 : HTTP Protocol Inspection : Drop	Sub Rule	General Failed Activity	Failed Activity
V 2.0 : Non-Standard Port HTTP Violation : Monitor	Sub Rule	HTTP Security Violation	Other Security
V 2.0 : Non-Standard Port HTTP Violation : Drop	Sub Rule	Failed Protocol Anomaly	Failed Attack
V 2.0 : Instant Messengers : Monitor	Sub Rule	IM/Chat Activity	Misuse
V 2.0 : Instant Messengers : Drop	Sub Rule	Failed IM/Chat Activity	Failed Misuse
V 2.0 : IP Fragments : Drop	Sub Rule	Threat Blocked	Failed Activity
V 2.0 : Large Ping : Monitor	Sub Rule	Ping Request	Network Traffic
V 2.0 : Large Ping : Drop	Sub Rule	General Failed Activity	Failed Activity
V 2.0 : Malformed HTTP : Monitor	Sub Rule	Malformed Object	Suspicious
V 2.0 : Malformed HTTP : Drop	Sub Rule	Failed Malformed Object	Failed Suspicious
V 2.0 : Malformed Packet : Monitor	Sub Rule	Malformed / Bad Packet Detected	Network Traffic
V 2.0 : Malformed Packet : Drop	Sub Rule	Failed Malformed Object	Failed Suspicious
V 2.0 : Non Compliant DNS : Detect	Sub Rule	Non Compliant DNS	Activity
V 2.0 : Port Scan : Monitor	Sub Rule	Port Scan	Reconnaissance
V 2.0 : Port Scan : Drop	Sub Rule	Port Scan Activity Dropped	Failed Activity
V 2.0 : SSL Enforcement Violation : Monitor	Sub Rule	SSL Enforcement	Activity
V 2.0 : SSL Enforcement Violation : Drop	Sub Rule	Drop VPN - SSL Enforcement	Failed Activity
V 2.0 : SSL Tunneling : Monitor	Sub Rule	General TUNNEL Message	Information
V 2.0 : SSL Tunneling : Drop	Sub Rule	Secure Tunnel Deleted	Information
V 2.0 : Stream Engine : Net Conf Problem : Monitor	Sub Rule	General Configuration Error	Error
V 2.0 : Stream Engine : Network Conf Problem: Drop	Sub Rule	Configuration Failure	Network Traffic
V 2 : Stream Engine : TCP Seg Limit Enf : Monitor	Sub Rule	General TCP/IP Information	Information
V 2.0 : Stream Engine : TCP Seg Limit Enf : Drop	Sub Rule	TCP Packet Dropped	Information
V 2.0 : Stream Engine : TCP Seg Limit Enf : Accept	Sub Rule	Permitted TCP Packet	Network Traffic
V 2.0 : Stream Engine : TCP Urg Data Enf : Monitor	Sub Rule	TCP Urgent Data Enforcement	Network Traffic
V 2.0 : Stream Engine : TCP Urg Data Enf : Drop	Sub Rule	TCP Packet Dropped	Information
V 2.0 : SmartDefense : SYN : Monitor	Sub Rule	Packet Received	Network Traffic
V 2.0 : SmartDefense : SYN : Drop	Sub Rule	Packet Dropped	Warning
V 2.0 : TCP Enforcement Violation : Monitor	Sub Rule	General Protocol Violation	Error
V 2.0 : TCP Enforcement Violation : Drop	Sub Rule	General Failed Activity	Failed Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
virtuallogsource	N/A	N/A	N/A
Subproduct	N/A	N/A	Can be VPN or non-VPN
Product	<vmid>	Text/String	Product name
origin_ip	N/A	N/A	IP of the log origin
origin	N/A	N/A	Name of the first Security Gateway that reported this event
Action	<action> <tag2>	Text/String	N/A
SIP	<sip>	IP Address	Source IP
SPort	<sport>	Number	Source host port number
DIP	<dip>	IP Address	Destination IP
dport	<dport>	Number	Destination port
protocol	<protnum>	Number	Protocol detected on the connection
ifname	<sinterface>	Text/String	The name of the Security Gateway interface through which a connection traverses
ifdirection	N/A	N/A	Connection direction
Reason	<reason>	Text/String	Information on the error occurred
Rule	N/A	N/A	Matched rule number
PolicyName	<policy>	Text/String	Name of the last policy that this Security Gateway fetched
XlateSIP	<snatip>	IP Address	Source ipv4 after applying NAT
XlateSport	<snatport>	Number	Source port after applying hide NAT on source IP
XlateDIP	<dnatip>	IP Address	Destination ipv4 after applying NAT
XlateDPort	<dnatport>	Number	Destination port after applying NAT
User	N/A	N/A	Source user name
src_user_name	<login>	Text/String	User name connected to source IP
dst_user_name	<account>	Text/String	Connected user name on the destination IP
to	<recipient>	Text/String	Source mail recipient
from	<sender>	Text/String	Source mail address
web_client_type	N/A	N/A	Web client detected in the HTTP request (e.g., Chrome)
web_server_type	N/A	N/A	Web server detected in the HTTP response
Url	<url>	Text/String	N/A
dst_machine_name	<dname>	Text/String	Machine name connected to destination IP
src_machine_name	<sname>	Text/String	Machine name connected to source IP
proxy_src_ip	N/A	N/A	Sender source IP (even when using proxy)
Attack	<vendorinfo> <tag1>	Text/String	N/A
AttackInfo	<threatname>	Text/String	N/A
PacketInfo	N/A	N/A	N/A
Protection_name	N/A	N/A	Specific signature name of the attack
Severity	<severity>	Number	Threat severity determined by ThreatCloud Possible values: 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical
Confidence_Level	N/A	N/A	Confidence level determined by ThreatCloud Possible values: 0 - N/A 1 - Low 2 - Medium-Low 3 - Medium 4 - Medium-High 5 - High
SmartDefense_Profile	N/A	N/A	IPS profile responsible for the decision about the action
Perf_Impact	N/A	N/A	Protection performance impact
Industry_Reference	<cve>	Text/String	CVE registry entry
Protection_Type	N/A	N/A	Type of protection used to detect the attack
rule_name	N/A	N/A	Access rule name
Info	N/A	N/A	Rule information on the blocked diameter CMD
message	N/A	N/A	General log message
time	N/A	N/A	The time stamp when the log was created
alert	N/A	N/A	Alert level of matched rule (for connection logs)
rule_uid	N/A	N/A	Access policy rule ID on which the connection was matched
flags	N/A	N/A	Checkpoint internal field
loguid	N/A	N/A	UUID of unified logs
sequencenum	N/A	N/A	Number added to order logs with the same Linux timestamp and origin
version	N/A	N/A	N/A
__policy_id_tag	N/A	N/A	Checkpoint internal field
origin_sic_name	N/A	N/A	Machine SIC
protection_id	N/A	N/A	Protection malware ID
suppressed_logs	N/A	N/A	Sum of aggregated malicious connections
total_logs	N/A	N/A	N/A
reject_id	N/A	N/A	A reject ID that corresponds to the one presented in the Mobile Access error page