V 2.0 : Smart Defense Events

Vendor Documentation

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0: Smart Defense Events	Base Rule	General Threat Message	Activity
V 2.0: SmartDefense: Accept Action	Sub Rule	General Attack Activity	Attack
V 2.0: SmartDefense: Detect Action	Sub Rule	General Attack Activity	Attack
V 2.0: SmartDefense: Drop Action	Sub Rule	Threat Blocked	Failed Activity
V 2.0: Adobe Reader Violation: Monitor	Sub Rule	Adobe Reader Violation	Activity
V 2.0: Apache Server Protection Violation: Drop	Sub Rule	Failed General Attack Activity	Failed Attack
V 2.0: Apache Srvr Protection Violation: Monitor	Sub Rule	Apache Web Server Message	Information
V 2.0: Audio Connection Attempt: Monitor	Sub Rule	Connection Attempt	Network Traffic
V 2.0: Block HTTP Non-Compliant: Monitor	Sub Rule	Noncompliant Attributes	Warning
V 2.0: Block HTTP Non-Compliant: Reject	Sub Rule	Blocked Non-Compliant HTTP Format	Activity
V 2.0: Block Non HTTP Traffic: Monitor	Sub Rule	General Network Traffic	Network Traffic
V 2.0: Content Protection Violation: Monitor	Sub Rule	Security Policy Violation	Warning
V 2.0: Content Protection Violation: Drop	Sub Rule	General Failed Activity	Failed Activity
V 2.0: DNS Reserved Header Bit: Monitor	Sub Rule	Protocol Anomaly	Attack
V 2.0: DNS Reserved Header Bit: Drop	Sub Rule	Failed Protocol Anomaly	Failed Attack
V 2.0: Geo-location Enforcement: Monitor	Sub Rule	Geo-Location Enforcement	Other Operations
V 2.0: Geo-location Enforcement: Drop	Sub Rule	Failed General Attack Activity	Failed Attack
V 2.0: HTTP Protocol Inspection: Monitor	Sub Rule	HTTP Message Violates Inspection Rule	Information
V 2.0: HTTP Protocol Inspection: Drop	Sub Rule	General Failed Activity	Failed Activity
V 2.0: Non-Standard Port HTTP Violation: Monitor	Sub Rule	HTTP Security Violation	Other Security
V 2.0: Non-Standard Port HTTP Violation: Drop	Sub Rule	Failed Protocol Anomaly	Failed Attack
V 2.0: Instant Messengers: Monitor	Sub Rule	IM/Chat Activity	Misuse
V 2.0: Instant Messengers: Drop	Sub Rule	Failed IM/Chat Activity	Failed Misuse
V 2.0: IP Fragments: Drop	Sub Rule	Threat Blocked	Failed Activity
V 2.0: Large Ping: Monitor	Sub Rule	Ping Request	Network Traffic
V 2.0: Large Ping: Drop	Sub Rule	General Failed Activity	Failed Activity
V 2.0: Malformed HTTP: Monitor	Sub Rule	Malformed Object	Suspicious
V 2.0: Malformed HTTP: Drop	Sub Rule	Failed Malformed Object	Failed Suspicious
V 2.0: Malformed Packet: Monitor	Sub Rule	Malformed / Bad Packet Detected	Network Traffic
V 2.0: Malformed Packet: Drop	Sub Rule	Failed Malformed Object	Failed Suspicious
V 2.0: Non Compliant DNS: Detect	Sub Rule	Non Compliant DNS	Activity
V 2.0: Port Scan: Monitor	Sub Rule	Port Scan	Reconnaissance
V 2.0: Port Scan: Drop	Sub Rule	Port Scan Activity Dropped	Failed Activity
V 2.0: SSL Enforcement Violation: Monitor	Sub Rule	SSL Enforcement	Activity
V 2.0: SSL Enforcement Violation: Drop	Sub Rule	Drop VPN - SSL Enforcement	Failed Activity
V 2.0: SSL Tunneling: Monitor	Sub Rule	General TUNNEL Message	Information
V 2.0: SSL Tunneling: Drop	Sub Rule	Secure Tunnel Deleted	Information
V 2.0: Stream Engine: Net Conf Problem: Monitor	Sub Rule	General Configuration Error	Error
V 2.0: Stream Engine: Network Conf Problem: Drop	Sub Rule	Configuration Failure	Network Traffic
V 2: Stream Engine: TCP Seg Limit Enf: Monitor	Sub Rule	General TCP/IP Information	Information
V 2.0: Stream Engine: TCP Seg Limit Enf: Drop	Sub Rule	TCP Packet Dropped	Information
V 2.0: Stream Engine: TCP Seg Limit Enf: Accept	Sub Rule	Permitted TCP Packet	Network Traffic
V 2.0: Stream Engine: TCP Urg Data Enf: Monitor	Sub Rule	TCP Urgent Data Enforcement	Network Traffic
V 2.0: Stream Engine: TCP Urg Data Enf: Drop	Sub Rule	TCP Packet Dropped	Information
V 2.0: SmartDefense: SYN: Monitor	Sub Rule	Packet Received	Network Traffic
V 2.0: SmartDefense: SYN: Drop	Sub Rule	Packet Dropped	Warning
V 2.0: TCP Enforcement Violation: Monitor	Sub Rule	General Protocol Violation	Error
V 2.0: TCP Enforcement Violation: Drop	Sub Rule	General Failed Activity	Failed Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
virtuallogsource	N/A	N/A	N/A
Subproduct	N/A	N/A	Can be VPN or non-VPN
Product	<vmid>	Text/String	Product name
origin_ip	N/A	N/A	IP of the log origin
origin	N/A	N/A	Name of the first Security Gateway that reported this event
Action	<action> <tag2>	Text/String	N/A
SIP	<sip>	IP Address	Source IP
SPort	<sport>	Number	Source host port number
DIP	<dip>	IP Address	Destination IP
dport	<dport>	Number	Destination port
protocol	<protnum>	Number	Protocol detected on the connection
ifname	<sinterface>	Text/String	The name of the Security Gateway interface through which a connection traverses
ifdirection	N/A	N/A	Connection direction
Reason	<reason>	Text/String	Information on the error occurred
Rule	N/A	N/A	Matched rule number
PolicyName	N/A	N/A	Name of the last policy that this Security Gateway fetched
XlateSIP	<snatip>	IP Address	Source ipv4 after applying NAT
XlateSport	<snatport>	Number	Source port after applying hide NAT on source IP
XlateDIP	<dnatip>	IP Address	Destination ipv4 after applying NAT
XlateDPort	<dnatport>	Number	Destination port after applying NAT
User	N/A	N/A	Source user name
src_user_name	<login>	Text/String	User name connected to source IP
dst_user_name	<account>	Text/String	Connected user name on the destination IP
to	<recipient>	Text/String	Source mail recipient
from	<sender>	Text/String	Source mail address
web_client_type	N/A	N/A	Web client detected in the HTTP request (e.g., Chrome)
web_server_type	N/A	N/A	Web server detected in the HTTP response
Url	<url>	Text/String	N/A
dst_machine_name	<dname>	Text/String	Machine name connected to destination IP
src_machine_name	<sname>	Text/String	Machine name connected to source IP
proxy_src_ip	N/A	N/A	Sender source IP (even when using proxy)
Attack	<vendorinfo> <tag1>	Text/String	N/A
AttackInfo	<threatname>	Text/String	N/A
PacketInfo	N/A	N/A	N/A
Protection_name	N/A	N/A	Specific signature name of the attack
Severity	<severity>	Number	Threat severity determined by ThreatCloud Possible values: 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical
Confidence_Level	N/A	N/A	Confidence level determined by ThreatCloud Possible values: 0 - N/A 1 - Low 2 - Medium-Low 3 - Medium 4 - Medium-High 5 - High
SmartDefense_Profile	N/A	N/A	IPS profile responsible for the decision about the action
Perf_Impact	N/A	N/A	Protection performance impact
Industry_Reference	<cve>	Text/String	CVE registry entry
Protection_Type	N/A	N/A	Type of protection used to detect the attack
rule_name	N/A	N/A	Access rule name
Info	N/A	N/A	Rule information on the blocked diameter CMD
message	N/A	N/A	General log message
time	N/A	N/A	The timestamp when the log was created
alert	N/A	N/A	Alert level of matched rule (for connection logs)
rule_uid	N/A	N/A	Access policy rule ID on which the connection was matched
flags	N/A	N/A	Checkpoint internal field
loguid	N/A	N/A	UUID of unified logs
sequencenum	N/A	N/A	Number added to order logs with the same Linux timestamp and origin
version	N/A	N/A	N/A
__policy_id_tag	<policy>	Text/String	Checkpoint internal field
origin_sic_name	N/A	N/A	Machine SIC
protection_id	N/A	N/A	Protection malware ID
suppressed_logs	N/A	N/A	The sum of aggregated malicious connections
total_logs	N/A	N/A	N/A
reject_id	N/A	N/A	A reject ID that corresponds to the one presented in the Mobile Access error page