V 2.0 : Smart Defense Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 : Smart Defense Events | Base Rule | General Threat Message | Activity |
V 2.0 : SmartDefense : Accept Action | Sub Rule | General Attack Activity | Attack |
V 2.0 : SmartDefense : Detect Action | Sub Rule | General Attack Activity | Attack |
V 2.0 : SmartDefense : Drop Action | Sub Rule | Threat Blocked | Failed Activity |
V 2.0 : Adobe Reader Violation : Monitor | Sub Rule | Adobe Reader Violation | Activity |
V 2.0 : Apache Server Protection Violation : Drop | Sub Rule | Failed General Attack Activity | Failed Attack |
V 2.0 : Apache Srvr Protection Violation : Monitor | Sub Rule | Apache Web Server Message | Information |
V 2.0 : Audio Connection Attempt : Monitor | Sub Rule | Connection Attempt | Network Traffic |
V 2.0 : Block HTTP Non-Compliant : Monitor | Sub Rule | Noncompliant Attributes | Warning |
V 2.0 : Block HTTP Non Compliant : Reject | Sub Rule | Blocked Non-Compliant HTTP Format | Activity |
V 2.0 : Block Non HTTP Traffic : Monitor | Sub Rule | General Network Traffic | Network Traffic |
V 2.0 : Content Protection Violation : Monitor | Sub Rule | Security Policy Violation | Warning |
V 2.0 : Content Protection Violation : Drop | Sub Rule | General Failed Activity | Failed Activity |
V 2.0 : DNS Reserved Header Bit : Monitor | Sub Rule | Protocol Anomaly | Attack |
V 2.0 : DNS Reserved Header Bit : Drop | Sub Rule | Failed Protocol Anomaly | Failed Attack |
V 2.0 : Geo-location Enforcement : Monitor | Sub Rule | Geo-Location Enforcement | Other Operations |
V 2.0 : Geo-location Enforcement : Drop | Sub Rule | Failed General Attack Activity | Failed Attack |
V 2.0 : HTTP Protocol Inspection : Monitor | Sub Rule | HTTP Message Violates Inspection Rule | Information |
V 2.0 : HTTP Protocol Inspection : Drop | Sub Rule | General Failed Activity | Failed Activity |
V 2.0 : Non-Standard Port HTTP Violation : Monitor | Sub Rule | HTTP Security Violation | Other Security |
V 2.0 : Non-Standard Port HTTP Violation : Drop | Sub Rule | Failed Protocol Anomaly | Failed Attack |
V 2.0 : Instant Messengers : Monitor | Sub Rule | IM/Chat Activity | Misuse |
V 2.0 : Instant Messengers : Drop | Sub Rule | Failed IM/Chat Activity | Failed Misuse |
V 2.0 : IP Fragments : Drop | Sub Rule | Threat Blocked | Failed Activity |
V 2.0 : Large Ping : Monitor | Sub Rule | Ping Request | Network Traffic |
V 2.0 : Large Ping : Drop | Sub Rule | General Failed Activity | Failed Activity |
V 2.0 : Malformed HTTP : Monitor | Sub Rule | Malformed Object | Suspicious |
V 2.0 : Malformed HTTP : Drop | Sub Rule | Failed Malformed Object | Failed Suspicious |
V 2.0 : Malformed Packet : Monitor | Sub Rule | Malformed / Bad Packet Detected | Network Traffic |
V 2.0 : Malformed Packet : Drop | Sub Rule | Failed Malformed Object | Failed Suspicious |
V 2.0 : Non Compliant DNS : Detect | Sub Rule | Non Compliant DNS | Activity |
V 2.0 : Port Scan : Monitor | Sub Rule | Port Scan | Reconnaissance |
V 2.0 : Port Scan : Drop | Sub Rule | Port Scan Activity Dropped | Failed Activity |
V 2.0 : SSL Enforcement Violation : Monitor | Sub Rule | SSL Enforcement | Activity |
V 2.0 : SSL Enforcement Violation : Drop | Sub Rule | Drop VPN - SSL Enforcement | Failed Activity |
V 2.0 : SSL Tunneling : Monitor | Sub Rule | General TUNNEL Message | Information |
V 2.0 : SSL Tunneling : Drop | Sub Rule | Secure Tunnel Deleted | Information |
V 2.0 : Stream Engine : Net Conf Problem : Monitor | Sub Rule | General Configuration Error | Error |
V 2.0 : Stream Engine : Network Conf Problem: Drop | Sub Rule | Configuration Failure | Network Traffic |
V 2 : Stream Engine : TCP Seg Limit Enf : Monitor | Sub Rule | General TCP/IP Information | Information |
V 2.0 : Stream Engine : TCP Seg Limit Enf : Drop | Sub Rule | TCP Packet Dropped | Information |
V 2.0 : Stream Engine : TCP Seg Limit Enf : Accept | Sub Rule | Permitted TCP Packet | Network Traffic |
V 2.0 : Stream Engine : TCP Urg Data Enf : Monitor | Sub Rule | TCP Urgent Data Enforcement | Network Traffic |
V 2.0 : Stream Engine : TCP Urg Data Enf : Drop | Sub Rule | TCP Packet Dropped | Information |
V 2.0 : SmartDefense : SYN : Monitor | Sub Rule | Packet Received | Network Traffic |
V 2.0 : SmartDefense : SYN : Drop | Sub Rule | Packet Dropped | Warning |
V 2.0 : TCP Enforcement Violation : Monitor | Sub Rule | General Protocol Violation | Error |
V 2.0 : TCP Enforcement Violation : Drop | Sub Rule | General Failed Activity | Failed Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
virtuallogsource | N/A | N/A | N/A |
Subproduct | N/A | N/A | Can be VPN or non-VPN |
Product | <vmid> | Text/String | Product name |
origin_ip | N/A | N/A | IP of the log origin |
origin | N/A | N/A | Name of the first Security Gateway that reported this event |
Action | <action> <tag2> | Text/String | N/A |
SIP | <sip> | IP Address | Source IP |
SPort | <sport> | Number | Source host port number |
DIP | <dip> | IP Address | Destination IP |
dport | <dport> | Number | Destination port |
protocol | <protnum> | Number | Protocol detected on the connection |
ifname | <sinterface> | Text/String | The name of the Security Gateway interface through which a connection traverses |
ifdirection | N/A | N/A | Connection direction |
Reason | <reason> | Text/String | Information on the error occurred |
Rule | N/A | N/A | Matched rule number |
PolicyName | <policy> | Text/String | Name of the last policy that this Security Gateway fetched |
XlateSIP | <snatip> | IP Address | Source ipv4 after applying NAT |
XlateSport | <snatport> | Number | Source port after applying hide NAT on source IP |
XlateDIP | <dnatip> | IP Address | Destination ipv4 after applying NAT |
XlateDPort | <dnatport> | Number | Destination port after applying NAT |
User | N/A | N/A | Source user name |
src_user_name | <login> | Text/String | User name connected to source IP |
dst_user_name | <account> | Text/String | Connected user name on the destination IP |
to | <recipient> | Text/String | Source mail recipient |
from | <sender> | Text/String | Source mail address |
web_client_type | N/A | N/A | Web client detected in the HTTP request (e.g., Chrome) |
web_server_type | N/A | N/A | Web server detected in the HTTP response |
Url | <url> | Text/String | N/A |
dst_machine_name | <dname> | Text/String | Machine name connected to destination IP |
src_machine_name | <sname> | Text/String | Machine name connected to source IP |
proxy_src_ip | N/A | N/A | Sender source IP (even when using proxy) |
Attack | <vendorinfo> <tag1> | Text/String | N/A |
AttackInfo | <threatname> | Text/String | N/A |
PacketInfo | N/A | N/A | N/A |
Protection_name | N/A | N/A | Specific signature name of the attack |
Severity | <severity> | Number | Threat severity determined by ThreatCloud Possible values: 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical |
Confidence_Level | N/A | N/A | Confidence level determined by ThreatCloud Possible values: 0 - N/A 1 - Low 2 - Medium-Low 3 - Medium 4 - Medium-High 5 - High |
SmartDefense_Profile | N/A | N/A | IPS profile responsible for the decision about the action |
Perf_Impact | N/A | N/A | Protection performance impact |
Industry_Reference | <cve> | Text/String | CVE registry entry |
Protection_Type | N/A | N/A | Type of protection used to detect the attack |
rule_name | N/A | N/A | Access rule name |
Info | N/A | N/A | Rule information on the blocked diameter CMD |
message | N/A | N/A | General log message |
time | N/A | N/A | The time stamp when the log was created |
alert | N/A | N/A | Alert level of matched rule (for connection logs) |
rule_uid | N/A | N/A | Access policy rule ID on which the connection was matched |
flags | N/A | N/A | Checkpoint internal field |
loguid | N/A | N/A | UUID of unified logs |
sequencenum | N/A | N/A | Number added to order logs with the same Linux timestamp and origin |
version | N/A | N/A | N/A |
__policy_id_tag | N/A | N/A | Checkpoint internal field |
origin_sic_name | N/A | N/A | Machine SIC |
protection_id | N/A | N/A | Protection malware ID |
suppressed_logs | N/A | N/A | Sum of aggregated malicious connections |
total_logs | N/A | N/A | N/A |
reject_id | N/A | N/A | A reject ID that corresponds to the one presented in the Mobile Access error page |