V 2.0 : Threat Emulation Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Threat Emulation Events | Base Rule | General Threat Message | Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Product | <vmid> | Text/String | Product name |
| Originip | N/A | N/A | IP of the log origin |
| origin | N/A | N/A | Name of the first Security Gateway that reported this event |
| Action | <action> | Text/String | Description of detected malware activity |
| SIP | <sip> | IP Address | Source IP |
| SPort | <sport> | Number | Source host port number |
| DIP | <dip> | IP Address | Destination IP |
| dport | <dport> | Number | Destination host port number |
| protocol | <protnum> | Number | Protocol detected on the connection |
| ifname | <sinterface> | Text/String | The name of the Security Gateway interface through which a connection traverses |
| ifdirection | N/A | N/A | Connection direction |
| proxy_src_ip | <snatip> | IP Address | Sender source IP (even when using proxy) |
| scope_ip | N/A | N/A | N/A |
| Url | <url> | Text/String | Matched URL |
| Source_OS | N/A | N/A | OS which generated the attack |
| Confidence_Level | N/A | N/A | Confidence level determined by ThreatCloud Possible values: 0 - N/A 1 - Low 2 - Medium-Low 3 - Medium 4 - Medium-High 5 - High |
| Severity | <severity> | Number | Threat severity determined by ThreatCloud Possible values: 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical |
| verdict | <result> | Text/String | TE engine verdict Possible values: Malicious/Benign/Error |
| Protection_Type | N/A | N/A | Type of protection used to detect the attack |
| User | N/A | N/A | Source user name |
| src_user_name | <login> | Text/String | User name connected to source IP |
| Query_snid | N/A | N/A | N/A |
| src_machine_name | <sname> | Text/String | Machine name connected to source IP |
| from | <sender> | Text/String | Sender email address |
| to | <recipient> | Text/String | Recipient email address |
| Email_Subject | <subject> | Text/String | Original email subject |
| email_scanned | N/A | N/A | N/A |
| dst_user_name | <account> | Text/String | Connected user name on the destination IP |
| web_client_type | <useragent> | Text/String | Web client detected in the HTTP request (e.g., Chrome) |
| UserCheck | N/A | N/A | N/A |
| user_status | N/A | N/A | N/A |
| portal_message | N/A | N/A | N/A |
| file_name | <object> | Text/String | Malicious file name / Matched file size |
| file_type | <objecttype> | Text/String | Classified file type |
| file_size | <size> | Number | Attachment file size / Matched file size |
| session_id | <session> | Text/String | Log UID |
| special_properties | N/A | N/A | If this field is set to '1,' the log will not be shown (in use for monitoring scan progress) |
| update_status | N/A | N/A | N/A |
| scanned_files | N/A | N/A | N/A |
| malware_detected | N/A | N/A | N/A |
| scanned | N/A | N/A | N/A |
| malware_action | <vendorinfo> | Text/String | Description of detected malware activity |
| file_md5 | <hash> | Text/String | File md5 |
| time | N/A | N/A | The time stamp when the log was created |
| Protection_name | <threatname> | Text/String | Specific signature name of the attack |
| description | <vendorinfo> | Text/String | Additional explanation how the security gateway enforced the connection |
| reason | <reason> | Text/String | N/A |
| policyname | N/A | N/A | N/A |
| alert | N/A | N/A | Alert level of matched rule (for connection logs) |
| client_name | N/A | N/A | N/A |
| generalinformation | N/A | N/A | N/A |
| flags | N/A | N/A | Check Point internal field |
| loguid | N/A | N/A | UUID of unified logs |
| sequencenum | N/A | N/A | Number added to order logs with the same Linux timestamp and origin |
| version | N/A | N/A | N/A |
| __policy_id_tag | <policy> | Text/String | N/A |
| client_version | N/A | N/A | N/A |
| event_type | N/A | N/A | N/A |
| host_type | N/A | N/A | N/A |
| installed_products | N/A | N/A | N/A |
| local_time | N/A | N/A | N/A |
| machine_guid | N/A | N/A | N/A |
| os_name | N/A | N/A | N/A |
| os_version | N/A | N/A | N/A |
| policy_date | N/A | N/A | N/A |
| policy_number | N/A | N/A | N/A |
| product_family | N/A | N/A | N/A |
| user_name | N/A | N/A | N/A |
| user_sid | N/A | N/A | N/A |
| analyzed_on | N/A | N/A | Check Point ThreatCloud / emulator name |
| detected_on | N/A | N/A | System and applications version on which the file was emulated |
| dst_country | N/A | N/A | N/A |
| emulated_on | N/A | N/A | Images the files were emulated on |
| errors | N/A | N/A | N/A |
| file_sha1 | N/A | N/A | File sha1 |
| file_sha256 | N/A | N/A | File sha256 |
| lastupdatetime | N/A | N/A | N/A |
| log_id | N/A | N/A | Unique identity for logs includes: Type, Family, Product/Blade, or Category |
| malware_rule_id | N/A | N/A | Threat prevention rule ID |
| malware_rule_name | N/A | N/A | Threat prevention rule name |
| origin_sic_name | N/A | N/A | Machine SIC |
| packet_capture_unique_id | N/A | N/A | Identifier of the packet capture files |
| te_verdict_determined_by | N/A | N/A | Emulators determined file verdict |