Support Center > Search Results > SecureKnowledge Details
Log Fields Description Technical Level
Solution

Introduction

Check Point Infinity solution includes multiple log fields, representing the diversity of Check Point's products. The log fields' mapping will help you understand security threats, logs language to better use complex queries and your SIEM.

Two types of logs are available:

  • Security Logs - Generated by Security Gateway, SandBlast Agent or SandBlast Mobile.
  • Audit Logs - Generated by Security Management.

Working with the tables below

Each table entry contains:

Field Name  Field Display Name Type Description Supported Version
Blade Display Name (Blade Name) - Product Name 

Where:

  • Field Name - Field name as it appears in raw log (If the field appears in a table, the table's name will appear inside parentheses)
  • Field Display Name - Field name as it appears in SmartConsole
  • Description - Field information
  • Type - One of the following:

    Field Type Description
    int Stores an integer 
    ipaddr IP address 
    guid Global Unique Identifier
    luuid Log Unification Unique ID
    string Sequence of alpha-numeric text or other symbols
  • Blade Name - Name of blade as it appears in raw log
  • Blade Display Name - Name of blade as it appears in SmartConsole

 

Best practices for field mapping usage (SIEM integration)

In case you are using a SIEM platform and want to integrate Check Point logs into it, use the Log Exporter tool.

Disclaimer - The following fields are only used for Check Point internal purposes and therefore will not appear in the table below:

  • flags 
  • ifdir 
  • ifname 
  • __policy_id_tag 
  • version
  • rounded_bytes
  • __interface
  • mgmt
  • db_tag
  • update_service


Security Logs

Enter a string to filter this table:

Field Name  Field Display Name Type Description Supported Version
Common Fields
Primary Category string Application category  
bytes Total Bytes int Number of bytes received during a connection  
confidence_level Confidence Level int Confidence level determined by ThreatCloud
Possible values:
0 - N/A
1- Low
2- Medium-Low
3 - Medium
4 - Medium-High
5 - High		  
calc_desc Description tring Log description  
dst Destination ipaddr Destination IP  
dst_country Destination Country string Destination country  
dst_ip N/A ipaddr Destination IP  
dst_user_name Destination User Name string Connected user name on the destination IP  
email_id Email ID string Email number in smtp connection  
email_subject Email Subject string Original email subject  
email_session_id Email Session ID string Connection uuid  
event_count Event Count int Number of events associated with the log   
failure_impact Failure Impact string  The impact of update service failure  
file_id File Id int Unique file identifier  
file_type File Type string Classified file type  
file_name File Name string Malicious file name / Matched file size  
file_size File Size int  Attachment file size / Matched file size  
file_md5 File MD5 string  File md5   
file_sha1 File SHA1 string File sha1  
file_sha256 N/A string File sha256  
from Sender string Source mail address  
to Recipient string Source mail recipient  
id N/A int Override application ID  
information Information string Policy installation status for a specific blade (used only for Anti-Bot and Anti-Virus)  
interface_name Interface string The name of the Security Gateway interface, through which a connection traverses  
interfacedir Direction string Connection direction  
layer_name (match table, TP match table) Layer Name string Layer name  
layer_uuid (match table, TP match table) N/A string Layer UUID   
log_id Log ID int Unique identity for logs includes: Type,Family, Product\Blade,Category  
loguid N/A luuid  UUID  of unified logs   
malware_action Malware Action string Description of detected malware activity  
malware_family Malware Family string Additional information on protection  
malware_rule_id (TP match table) Threat Prevention Rule ID string Threat prevention rule ID   
malware_rule_name (TP match table) Threat Prevention Rule Name string Threat prevention rule name  
matched_category (match table) Matched Category string Name of matched category  
origin Orig string Name of the first Security Gateway that reported this event  
origin_ip N/A ipaddr IP of the log origin   
origin_sic_name N/A  string  Machine SIC   
policy_mgmt Policy Management string Name of the Management Server that manages this Security Gatewa  
policy_name Policy Name string Name of the last policy that this Security Gateway fetched  
product Blade string Product name  
product_family Product Family int The product family the blade/product belongs to  
Possible values:
0-Network
1-Endpoint
2-Access
3-Threat
4-Mobile		  
protection_id Protection ID string Protection malware id   
protection_name Protection Name string Specific signature name of the attack  
protection_type Protection Type string Type of protection used to detect the attack  
proto IP Protocol int Protocol  
protocol  Protocol string Protocol detected on the connection  
proxy_src_ip Proxied Source IP ipaddr Sender source IP (even when using proxy)  
reason Reason string Information on the error occurred  
received_bytes Received Bytes int Number of bytes received during connection  
resource Resource string Resource from the HTTP request  
rule (match table) Rule int Matched rule number  
rule_action Action string  Action of the matched rule in the access policy  
rule_name (match table) Access Rule Name string Access rule name  
rule_uid (match table) Policy Rule UID string Access policy rule ID which the connection was matched on  
scan_direction File-Direction string Scan direction
Possible options:
1) External/DMZ/Internal to External/DMZ/Internal 
2) to/from this gateway		  
sent_bytes Sent Bytes  int Number of bytes sent during the connection  
session_id  Session Identification luuid Log uid  
sequencenum Sequencenum int Number added to order logs with the same linux timestamp and origin  
service/fservice Destination Port

int/string

 Connection destination int/service int  
service_id Service ID string Service found on the connection (by destination port)  
severity Severity int/string

Threat severity determined by ThreatCloud 
Possible values:
0 -Informational
1 - Low
2 -Medium
3 - High
4 - Critical

  
source_os Source OS string OS which generated the attack  
src Source ipaddr Client source IP address   
src_ip Source IP ipaddr  Source IP  
src_country Source Country string Country name, derived from connection source IP address  
src_user_name Source User Name string User name connected to source IP  
s_port Source Port int Source host port number  
src_port N/A  int  Source host port number  
ticket_id Ticket ID string Unique ID per file  
time Time string The time stamp when the log was created.  
tls_server_host_name TLS Server Host Name string  SNI/CN from encrypted TLS connection used by URLF for categorization  R80.40
type Type string Log type  
verdict Verdict string TE engine verdict 
Possible values: Malicious/Benign/Error		  
user User string Source user name  
vendor_list Vendor List string  The vendor name that provided the verdict for a malicious URL  
web_client_type Client Type string Web client detected in the HTTP request (e.g: Chrome)  
web_server_type Server Type string Web server detected in the HTTP response  
 SandBlast Agent Common fields  
client_name Client Name string Client Application or Software Blade that detected the event  
client_version Product Version string Build version of SandBlast Agent client installed on the computer  
extension_version Extension Version string Build version of the SandBlast Agent browser extension  
host_time Host Time string Local time on the endpoint computer  
installed_products Installed Blades string List of installed Endpoint Software Blades  
os_name OS Name string Name of the OS installed on the source endpoint computer  
os_version OS Version string Build version of the OS installed on the source endpoint computer  
packet_capture Packet Capture string Link to the PCAP traffic capture file with the recorded malicious connection  
process_md5 Process MD5 string MD5 hash of the process that triggered the attack  
process_name Process Name string Name of the process that triggered the attack  
cc CC string The Carbon Copy address of the email  
reason Reason string The reason for detecting or stopping the attack  
resource Resource string URL, Domain, or DNS of the malicious request  
Anti-Bot - SandBlast Agent
first_detection First Detection string Time of the first detection of the infection  
last_detection Last Detection string Time of the last detection of the infection  
parent_process_md5 Parent Process MD5 string MD5 hash of the parent process of the process that triggered the attack  
parent_process_name Parent Process Name string Name of the parent process of the process that triggered the attack  
parent_process_username Parent Process Username string Owner username of the parent process of the process that triggered the attack  
process_username Process Username string Owner username of the process that triggered the attack  
 Anti-Malware - SandBlast Agent
destination_dns_hostname Destination DNS Hostname string Malicious DNS request domain  
smartdefense_profile (TP match table) Threat Profile string IPS profile responsible for the decision about the action  
email_session_id Email Session ID string Email session id (uniqe ID of the mail)  
email_recipients_num Email Recipients Number string Amount of recipients whom the mail was sent to  
suppressed_logs Suppressed logs int Aggregated connections for five minutes on the same source, destination and port  
blade_name N/A string Blade name  
status status int Ok/warning/error  
short_desc  N/A string Short description of the process that was executed   
long_desc  N/A string More information on the process (usually describing error reason in failure)  
scan_hosts_hour  N/A int Number of unique hosts during the last hour  
scan_hosts_day  N/A int Number of unique hosts during the last day  
scan_hosts_week  N/A int Number of unique hosts during the last week  
unique_detected_hour  N/A int Detected virus for a specific host during the last hour   
unique_detected_day  N/A int Detected virus for a specific host during the last day   
unique_detected_week  N/A int Detected virus for a specific host during the last week  
scan_mail  N/A int Number of emails that were scanned by "AB malicious activity" engine  
additional_ip Additional IP string DNS host name  
description Description string Additional explanation how the security gateway enforced the connection  
 Anti Spam - Security Gateway
email_spam_category Email Spam Category string Email categories
Possible values: spam/not spam/phishing		  
email_control Email Control string Engine name  
email_control_analysis Email Control Analysis string Message classification, received from spam vendor engine  
email_session_id Email Session ID string Internal session id  
email_id Email ID string Internal email id  
email_recipients_num Email Recipients Number int Number of recipients  
from From string Sender email address  
to  Recipient string Recipient email address  
reason Reason string Description of log's reason  
Anti Virus - Security Gateway
scan_result  Scan Result string   "Infected"/description of a failure   
triggered_by  N/A string Engine/blade which triggered the log  
original_queue_id  Original Queue ID string Original postfix email queue id  
risk  N/A string Risk level we got from the engine  
 resource  Resource string In case of  a malicious URL, the resource field will include that URL  
email_recipients_num Email Recipients Number  int Number of recipients  
observable_name  N/A string IOC observable signature name  
observable_id  N/A string IOC observable signature id  
observable_comment  N/A string IOC observable signature description  
indicator_name  Indicator Name string IOC indicator name  
indicator_description  N/A string IOC indicator description  
indicator_reference  N/A string IOC indicator reference  
indicator_uuid  N/A string IOC indicator uuid  
reason  Reason string Description of log's reason   
 Application Control  & URLF - Security Gateway
appi_name (match table) Application Name string Application name  
app_desc (match table) Application Description string Application description  
app_id (match table) Application ID int Application ID  
app_properties (match table) Additional Categories string Application categories  
app_risk (match table) Application Risk int Application risk
Possible values:
0 - Unknown
1- Very Low
2 - Low
3 - Medium
4 - High
5 - Critical		  
app_rule_id Application Rule ID string Rule number  
app_rule_name Application Rule Name string Rule name  
app_sig_id (match table) Application Signature ID string The signature ID which the application was detected by  
categories Categories string  Matched categories  
certificate_resource Resource  string HTTPS resource Possible values: SNI or domain name (DN) R80.40
certificate_validation Certificate Validation string  Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature R80.40
description Description string Additional explanation about the certificate validation failure R80.40 
usercheck_incident_uid UserCheck ID string UserCheck incident id  
resource Resource string HTTP connection resource   
browse_time Browse Time time Application session browse time   
limit_requested N/A int Indicates whether data limit was requested for the session  
limit_applied N/A int Indicates whether the session was actually date limited  
dropped_outgoing N/A int Amount of outgoing dropped packets   
dropped_incoming N/A int Amount of incoming dropped packets  
dropped_total N/A int Amount of dropped packets (both incoming and outgoing)  
suppressed_logs Suppressed Logs int Amount of connections\HTTP sessions that were aggregated in this application session log  
match_id (match table) N/A int Mapping of matched rule to its matched application  
client_type_os N/A string Client OS detected in the HTTP request  
referrer N/A string The referrer header, if exists  
name N/A string Application name  
properties (match table) N/A string Application categories  
risk N/A int Application risk  
sig_id N/A string Application's signature ID which how it was detected by  
desc N/A string Override application description  
referrer_self_uid N/A guid UUID of the current log  
referrer_parent_uid N/A guid Log UUID of the referring application  
needs_browse_time N/A int Browse time required for the connection  
security_inzone N/A string Source security zone  
security_outzone N/A string Destination security zone  
url URL string Matched URL  
Cluster (VPN-1 & FireWall-1) -  Security Gateway
cluster_info Cluster information string Cluster information
Possible options: Failover reason/cluster state changes/CP cluster or 3rd party		  
sync Synchronization string Sync status and the reason (stable, at risk)  
Content Awareness - Security Gateway
file_direction File Direction string File direction
Possible options: upload/download		  
invalid_file_size N/A int file_size field is valid only if this field is set to 0  
top_archive_file_name Archive File string In case of archive file: the file that was sent/received  
data_type_name Data Type string Data type in rulebase that was matched  
specific_data_type_name N/A string Compound/Group scenario, data type that was matched  
word_list N/A string Words matched by data type  
DLP - Security Gateway 
info Information string Special log message  
outgoing_url Outgoing URL string URL related to this log (for HTTP)  
dlp_rule_name DLP Rule Name string Matched rule name  
dlp_recipients DLP Recipients string Mail recipients   
dlp_subject Mail Subject string Mail subject  
dlp_word_list DLP Words List string Phrases matched by data type  
dlp_template_score DLP Template Score string Template data type match score   
message_size Message Size int Mail/post size  
dlp_rule_name DLP Rule Name string Matched rule name  
dlp_rule_uid DLP Rule UID string Unique ID of the matched rule  
dlp_incident_uid DLP Incident UID guid Unique incident ID  
dlp_related_incident_uid Related Incidents guid Other ID related to this one  
dlp_data_type_name DLP Data Type Nam string Matched data type  
dlp_data_type_uid Data Type UID string Unique ID of the matched data type  
outgoing_url Outgoing URL string HTTP post URL  
dlp_file_name Scanned Data Fragment string Matched file  
dlp_violation_description  Message to User string Violation descriptions described in the rulebase  
dlp_relevant_data_types N/A  string In case of Compound/Group: the inner data types that were matched  
dlp_action_reason DLP Action Reason string Action chosen reason   
dlp_categories DLP Categories string Data type category  
dlp_transint DLP Transint string HTTP/SMTP/FTP  
duplicate Duplicate string Log marked as duplicated, when mail is split and the Security Gateway sees it twice  
incident_extension Incident Extension string Format of original data  
matched_file Matched File string Fingerprint: the file from FP repository that was matched by the traffic  
matched_file_text_segments Matched File Text Segments int Fingerprint: number of text segments matched by this traffic  
matched_file_percentage Matched File Percentage int Fingerprint: match percentage of the traffic  
dlp_addtional_action DLP Additional Action string Watermark/None  
dlp_watermark_profile DLP Watermark Profile string Watermark which was applied  
dlp_repository_id Repository ID string ID of scanned reposetory  
dlp_data_type_uid Data Type UID string Fingerprint data type ID  
dlp_data_type_name DLP Data Type Name string Fingerprint data type name  
dlp_repository_root_path DLP Repository Root path string Repository path  
scan_id Scan ID string Sequential number of scan  
special_properties Special properties int If this field is set to '1' the log will not be shown (in use for monitoring scan progress)  
dlp_repository_total_size Repository size (MB) int Repository size  
dlp_repository_files_number Repository files int Number of files in repository  
dlp_repository_scanned_files_number Scanned files int Number of scanned files in repository  
duration Duration time Scan duration   
dlp_fingerprint_long_status Scan Status string Scan status - long format  
dlp_fingerprint_short_status Scan Status Code string Scan status - short format  
dlp_repository_directories_number Directories int Number of directories in repository  
dlp_repository_unreachable
_directories_number		 Unreachable directories int Number of directories the Security Gateway was unable to read  
 dlp_fingerprinted_files_number Fingerprinted Files int Number of successfully scanned files in repository   
 dlp_repository_skipped_files_number Filtered Files int Skipped number of files because of configuration  
 dlp_repository_scanned_directories_number N/A int Amount of directories scanned  
 number_of_errors Number of Errors int Number of files that were not  scanned due to an error   
 next_scheduled_scan_date Next Scheduled Scan Date timestamp Next scan scheduled time according to time object  
 dlp_repository_scanned_total_size Scanned Size (MB) int Size scanned  
 dlp_repository_scanned_files_number Scanned Files int Number of scanned files in repository  
dlp_repository_reached_directories_number Reachable Directories int Number of scanned directories in repository  
 dlp_fingerprint_short_status Scan Status Code string Scan status - shprt format  
dlp_repository_not_
scanned_directories_percentage		 Not scanned directories percentage int Percentage of directories the Security Gateway was unable to read  
dlp_repository_scanned_directories_number Directories scanned  int Number of files that were not scanned due to an error    
speed N/A int Current scan speed  
dlp_repository_scan_progress N/A int Scan percentage  
dlp_relevant_data_types DLP Relevant Data Types string In case matched data type is a group data type, the field specifies which data types from that group were matched  
 Firewall  - Security Gateway 
inzone  Source Zone string Indicates whether the source zone is internal or external   
outzone  Destination Zone string Indicates whether the destination zone is internal or external  
sub_policy_name  N/A string Layer name  
sub_policy_uid  N/A string Layer uid  
fw_message  Firewall Message string Used for various firewall errors  
message  Message string ISP link has failed  
isp_link  ISP link  string Name of isp link  
fw_subproduct  Subproduct string Can be vpn/non vpn  
sctp_error  N/A string Error information, what caused sctp to fail on out_of_state  
chunk_type  N/A string Chuck of the sctp stream  
sctp_association_state  N/A string The bad state you were trying to update to  
tcp_packet_out_of_state  TCP packet out of state string State violation  
tcp_flags  TCP Flags string TCP packet flags (SYN, ACK, etc.,)  
connectivity_level  Connectivity Level string Log for a new connection in wire mode  
ip_option  IP Option int IP option that was dropped  
tcp_state N/A string Log reinting a tcp state change  
expire_time N/A timestmp Connection closing time  
icmp_type ICMP Type int In case a connection is ICMP, type info will be added to the log  
icmp_code ICMP Code int In case a connection is ICMP,  ICMP code info will be added to the log  
rpc_prog RPC Program int Log for new RPC state - prog values  
dce-rpc_interface_uuid  DCE-RPC Interface UUID uuid Log for new RPC state - UUID values  
start_time Start Time timestmp Session start time  
elapsed Elapsed time Time passed since start time  
packets Packets int Number of packets encountered in connection  
client_inbound_packets Client Inbound Packets int Number of packets, received by the client  
client_outbound_packets Client Outbound Packets int Number of packets, sent from the client  
server_inbound_packets Server Inbound Packets int Number of packets, received by the server  
server_outbound_packets Server Outbound Packets int Number of packets, sent from the server  
client_inbound_bytes Client Inbound Bytes int Number of bytes received by the client  
client_outbound_bytes Client Outbound Bytes int Number of bytes sent from the client  
server_inbound_bytes Server Inbound Bytes int Number of packets received by the server  
server_outbound_bytes Server Outbound Bytes int Number of packets sent from the server  
client_inbound_interface Client Inbound Interface string Gateway interface, where the connection is received from in case of an outbound connection  
client_outbound_interface Client Outbound Interface string Gateway interface, where the connection is sent from, in case of an inbound connection  
server_inbound_interface Server Inbound Interface string Gateway interface,  where the connection is received from, in case of an inbound connection  
server_outbound_interface Server Outbound Interface string Gateway interface, where the connection is sent from, in case of an outbound connection  
icmp ICMP string ICMP message, will be added to the connection log  
capture_uuid Captured UUID luuid UUID generated for the capture. Used when enabling the capture when logging.  
diameter_app_name N/A string The name defined/pre-configured for the diameter application   
diameter_app_ID N/A int The ID of diameter application  
diameter_cmd_code N/A  int Diameter not allowed application command id  
diameter_msg_type N/A string Diameter message type  
info Information string Rule information on the blocked diameter CMD  
cp_message N/A string Used to log a general message  
log_delay Log Delay int  Time left before deleting template   
Forensics - SandBlast Agent
attack_status Attack Status string In case of a malicious event on an endpoint computer, the status of the attack  
impacted_files Impacted Files string In case of an infection on an endpoint computer, the list of files that the malware impacted  
remediated_files Remediated Files string In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer  
triggered_by Triggered By string The name of the mechanism that triggered the Software Blade to enforce a protection  
HTTPs Inspection - Security Gateway 
https_inspection_rule_id HTTPS Inspection Rule ID string ID of the matched rule  
https_inspection_rule_name HTTPS Inspection Rule Name string Name of the matched rule  
app_properties (match table) Additional Categories string List of all found categories  
resource Resource string HTTPS resource
Possible values: SNI or domain name		  
https_validation HTTPS Validation string Precise error, describing HTTPS inspection failure  
https_inspection_action Inspection Action string HTTPS inspection action (Inspect/Bypass/Error)  
ICAP Client (VPN-1 & FireWall-1) - Security Gateway
icap_service_id N/A int Service ID, can work with multiple servers, treated as "services"  
icap_server_name N/A string Server name  
internal_error N/A string Internal error, for troubleshooting  
verdict Verdict string Enforcement per HTTP connection
Possible values: Accept, Block-Reject, Data-modification		  
icap_more_info N/A string Free text for verdict  
reply_status N/A int ICAP reply status code, e.g. 200 or 204  
icap_server_service N/A string Service name, as given in the ICAP URI  
mirror_and_decrypt_type N/A string Information about decrypt and forward
Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass) 		  
interface_name N/A string Designated interface for mirror And decrypt  
session_uid N/A int HTTP session-id  
Identity Awareness - Security Gateway
broker_publisher Broker Publisher ipaddr  IP address of the broker publisher who shared the session information  R80.40
src_machine_name Source Machine Name string Machine name connected to source IP  
src_user_dn N/A string User distinguished name connected to source IP  
proxy_user_name N/A string User name connected to proxy IP  
proxy_machine_name N/A string Machine name connected to proxy IP  
proxy_user_dn N/A string User distinguished name connected to proxy IP  
dst_machine_name Destination Machine Name string Machine name connected to destination IP  
   IPS  (SmartDefense) - Security Gateway
resource Resource string Malicious domain  
query Query string DNS query   
dns_query DNS query string DNS query   
dns_type DNS Type string DNS query type  
inspection_item N/A string Blade element performed inspection  
performance_impact Performance Impact int Protection performance impact   
inspection_category  N/A string Inspection category: protocol anomaly, signature etc.  
inspection_profile N/A string  Profile which the activated protection belongs to  
 inspection_information N/A string Attack or violation description  
message Message string Additional information  
suppressed_logs Suppressed Logs int Sum of aggregated malicious connections   
summary N/A string Summary message of a non-compliant DNS traffic drops or detects  
tid Tunnel ID int DNS Transaction ID  
dns_message_type N/A string DNS message type
Possible values:query/response/authoritative response		  
question_rdata N/A string List of question records domains  
answer_rdata N/A string List of answer resource records to the questioned domains  
authority_rdata N/A string List of authoritative servers  
additional_rdata N/A string List of additional resource records  
files_names N/A string List of files requested by FTP  
ftp_user N/A string FTP username  
mime_from N/A string Sender's address  
mime_to N/A string List of receiver address  
cc N/A string List of CC addresses  
bcc N/A string List of BCC addresses  
content_type Content Type string Mail content type
Possible values: application/msword, text/html, image/gif etc		  
subject Subject string Mail subject    
user_agent N/A string String identifying requesting software user agent  
referrer N/A string Referrer HTTP request header, previous web page address.    
http_location N/A string Response header, indicates the URL to redirect a page to  
content_disposition N/A string Indicates how the content is expected to be displayed inline in the browser  
via N/A string Via header is added by proxies for tracking purposes to avoid sending reqests in loop  
http_server N/A string Server HTTP header value, contains information about the software used by the origin server, which handles the request  
content_length N/A string Indicates the size of the entity-body of the HTTP header  
method N/A string HTTP method (GET, POST, PUT, etc.)  
status Status string HTTP status code  
authorization N/A string Authorization HTTP header value  
http_host N/A string Domain name of the server that the HTTP request is sent to  
industry_reference Industry Reference string CVE registry entry  
inspection_settings_log N/A string Indicats that the log was released by inspection settings  
 Mobile Access (Connectra) - Security Gateway 
user_group User Group string The group which the user belongs to, upon login  
cvpn_resource Application string Mobile Access application   
cvpn_category Mobile Access Category string Mobile Access application type  
url URL string Translated URL  
outgoing_url Outgoing Url string Untranslated URL, as seen inside the internal network  
reject_id Reject ID string A reject ID that corresponds to the one presented in the Mobile Access error page  
fs-proto N/A string The file share protocol used in mobile acess file share application  
session_uid Mobile Access Session UID guid Mobile Access session identification  
Mobile App -  SandBlast Mobile
app_package App Package string Unique identifier of the application on the protected mobile device R80.20
appi_name Application Name string Nameof application downloaded on the protected mobile device R80.20
app_repackaged Application Repackaged string Indicates whether the original application was repackage not by the official developer R80.20
app_sid_id Application Signature ID  string Unique SHA identifier of a mobile application  R80.20
app_version Application Version string Version of the application downloaded on the protected mobile device R80.20
developer_certificate_name Developer Certificate Name string Name of the developer's certificate that was used to sign the mobile application R80.20
MTA - Security Gateway 
email_control Email Control string Engine name  
email_message_id Email Message ID string Email session id (uniqe ID of the mail)  
email_session_id Email Session ID string  Internal session ID  
email_recipients_num Email Recipients Number int Number of recipients  
email_id Email ID string  Internal email ID  
email_queue_id Email Queue ID string Postfix email queue id  
email_queue_name Email Queue Name string Postfix email queue name  
original_queue_id  Original Queue ID string Original postfix email queue id  
file_name File Name string Malicious file name  
failure_reason Failure Reason string MTA failure description   
email_headers N/A string String containing all the email headers  
arrival_time Arrival Time timestmp Email arrival timestamp  
email_status Email Status string

Describes the email's state
Possible options:

delivered

deferred

skipped

bounced

hold

new

scan_started

scan_ended

  
status_update Last status update timestmp Last time log was updated  
original_queue_id Original Queue ID string  Original postfix email queue id  
scan_started Scan Started timestmp Beginning of the scanning process timestamp  
scan_ended Scan Ended timestmp End of the scanning process timestamp  
delivery_time Delivery Time timestmp Timestamp of when email was delivered (MTA finished handling the email  
links_num Links Number int Number of links in the mail  
attachments_num Attachments Number int Number of attachments in the mail  
email_content Email Content string Mail contents
Possible options: attachments/links & attachments/links/text only		  
NAT - Security Gateway
allocated_ports Allocated Ports  int Amount of allocated ports R80.40
capacity Capacity int  Capacity of the ports R80.40
ports_usage Ports Usage int  Percentage of allocated ports R80.40
nat_exhausted_pool

Nat Exhausted Pool 

 string  4-tuple of an exhausted pool

R80.40

R80.10 -  R80.30 Jumbos 
xlatesrc Xlate (NAT) Source IP ipaddr Source ipv4 after applying NAT  
xlatedst Xlate (NAT) Destination IP ipaddr Destination ipv4 after applying NAT  
xlatesint Xlate (NAT) Source Port int Source port after applying hide NAT on source IP  
xlatedint Xlate (NAT) Destination Port int Destination port after applying NAT  
nat_rulenum NAT Rule Number int NAT rulebase first matched rule  
nat_addtnl_rulenum NAT Additional Rule Number int When matching 2 automatic rules , second rule match will be shown otherwise field will be 0  
message_info Message Information string Used for information messages, for example:NAT connection has ended  
nat46 N/A string NAT 46 status, in most cases "enabled"  
end_time N/A timestmp TCP connection end time  
tcp_end_reason N/A string Reason for TCP connection closure  
nat_rulenum NAT Rule Number int NAT rulebase first matched rule  
cgnet N/A string Describes NAT allocation for specific subscriber  
subscriber N/A ipaddr Source IP before CGNAT  
hide_ip N/A ipaddr Source IP which will be used after CGNAT  
int_start N/A int Subscriber start int which will be used for NAT  
int_end N/A int Subscriber end int which will be used for NAT  
SecureXL (VPN-1 & FireWall-1) - Security Gateway 
drop_reason Drop Reason string Aggregated logs of dropped packets   
packet_amount N/A int Amount of packets dropped  
packets Packets string Connection tuple:source IP, source int, dest IP, dest int, protocol  
monitor_reason N/A string Aggregated logs of monitored packets  
message_info Message Information string Information on multicast packet dropped  
drops_amount  N/A int Amount of multicast packets dropped   
securexl_message
 		 N/A string Two options for a SecureXL message:
1.  Missed accounting records after heavy load on logging system
2.  FW log message regarding a packet drop		  
conns_amount N/A int Connections amount of aggregated log info  
aggregation_info N/A string Source int list of aggregated connections  
Threat Emulation - Security Gateway & SandBlast Agent
scope Scope ipvxaddr IP related to the attack  
analyzed_on Analyzed On string  Check Point ThreatCloud / emulator name  
detected_on Vulnerable Operating Systems string

System and applications version the file was emulated on

  
dropped_file_name Dropped File Name string List of names dropped from the original file
dropped_file_type Dropped File Type string List of file types dropped from the original file
dropped_file_hash Dropped File Hash string List of file hashes dropped from the original file
dropped_file_verdict Dropped File Verdict string List of file verdics dropped from the original file
emulated_on Not Vulnerable OS string Images the files were emulated on  
extracted_file_type Extracted File Type string Types of extracted files in case of an archive  
extracted_file_names Extracted File Names string Names of extracted files in case of an archive  
extracted_file_hash Extracted File Hash string Archive hash in case of extracted files  
extracted_file_verdict N/A string Verdict of extracted files in case of an archive  
extracted_file_uid N/A string UID of extracted files in case of an archive  
mitre_initial_access Mitre Initial Access string The adversary is trying to break into your network
mitre_execution Mitre Execution string The adversary is trying to run malicious code
mitre_persistence Mitre Persistence string The adversary is trying to maintain his foothold
mitre_privilege_escalation Mtre Privilege Escalation string The adversary is trying to gain higher-level permissions
mitre_defense_evasion Mitre Defense Evasion string The adversary is trying to avoid being detected
mitre_credential_access Mitre Credential Access string The adversary is trying to steal account names and passwords
mitre_discovery Mitre Discovery string The adversary is trying to expose information about your environment
mitre_lateral_movement Mitre Lateral Movement string The adversary is trying to explore your environment
mitre_collection Mitre Collection string The adversary is trying to collect data of interest to achieve his goal
mitre_command_and_control Mitre Command And Control string The adversary is trying to communicate with compromised systems in order to control them
mitre_exfiltration Mitre Exfiltration string The adversary is trying to steal data
mitre_impact Mitre Impact string The adversary is trying to manipulate, interrupt, or destroy your systems and data
parent_file_hash N/A string Archive's hash in case of extracted files  
parent_file_name N/A string Archive's name in case of extracted files  
parent_file_uid N/A string Archive's UID in case of extracted files   
similiar_iocs Similar IoCs string Other IoCs similar to the ones found, related to the malicious file
similar_hashes Similar Hashes string Hashes found similar to the malicious file
similar_strings string Strings found similar to the malicious file
similar_communication Similar Communication string Network action found similar to the malicious file
te_verdict_determined_by Determined By string Emulators determined file verdict  
packet_capture_unique_id Packet Capture Unique Id string Identifier of the packet capture files  
total_attachments Total Attachments int The number of attachments in an email  
Threat Extraction - Security Gateway & SandBlast Agent
additional_info  General Information string ID of original file/mail which are sent by admin  
content_risk  Content Risk int File risk 
Possible values:
0 - Unknown
1 - Very Low
2 - Low
3 - Medium
4 - High
5 - Critical		  
operation Operation string Operation made by Threat Extraction  
scrubbed_content Suspicious Content string Active content that was found  
scrub_time N/A string Extraction process duration  
scrub_download_time N/A string File download time from resource  
scrub_total_time N/A string Threat extraction total file handling time  
scrub_activity Threat Extraction Activity string The result of the extraction  
subject Subject string Mail subject  
watermark N/A string Reports whether watermark is added to the cleaned file  
   Unified Policy (VPN-1 & FireWall-1) - Security Gateway
domain_name Domain Name string Domain name sent to DNS request   
source_object N/A string Matched object name on source column  
destination_object N/A string Matched object name on destination column  
drop_reason Drop Reason string Drop reason description  
hit N/A int Number of hits on a rule  
rulebase_id N/A int Layer number  
first_hit_time N/A int First hit time in current interval  
last_hit_time Last Update Time int Last hit time in current interval  
rematch_info N/A string  Information sent when old connections cannot be matched during policy installation  
last_rematch_time N/A timestmp Connection rematched time  
action_reason Action Reason string Connection drop reason   
c_bytes N/A int Boolean value indicates whether bytes sent from the client side are used  
context_num N/A int Serial number of the log for a specific connection  
match_id (match table) N/A int Private key of the rule  
alert (UP alert hll table) Alert string Alert level of matched rule (for connection logs)  
action Action int

Action of matched rule
Possible values:
0 - Drop
1 - Reject
2 - Accept
3 - Encrypt
4 - Decrypt
17 - Authorize
18 - Deauthorize
30 - Bypass
33 - Block
34 - Detect
39 - Do not send
43 - Allow
46 - Ask User
61 - Extract

Note: This field is not mandatory to every log 

  
parent_rule (match table) N/A int Parent rule number, in case of inline layer  
match_fk N/A int Rule number  
dropped_outgoing N/A int Number of outgoing bytes dropped when using UP-limit feature  
dropped_incoming N/A int Number of incoming bytes dropped when using UP-limit feature  
dropped_total N/A int Total bytes dropped when using UP-limit feature  
VoIP (VPN-1 & FireWall-1) - Security Gateway
content_type Content Type string VoIP session  
media_type N/A string Media used (audio, video, etc.)  
sip_reason SIP Reason string Explains why 'source_ip' isn't allowed to redirect   (handover)  
voip_method Request string Registration request  
registered_ip-phones N/A string Registered IP-Phones  
voip_reg_user_type Registered IP-Phone Type string Registered IP-Phone type  
voip_call_id VoIP Call ID string Call-ID  
voip_reg_int Registration Port int Registration port  
voip_reg_ipp Registration IP Protocol int Registration IP protocol  
voip_reg_period Registration Period int Registration period  
voip_log_type VoIP Log Type string VoIP log types
Possible values: reject, call, registration		  
voip_method Request string Call request  
src_phone_number Source IP-phone string Source IP -Phone  
voip_from_user_type Source IP-Phone Type string Source IP-Phone type  
dst_phone_number  Destination Phone Number string Destination IP-Phone  
voip_to_user_type Destination IP-Phone Type string Destination IP-Phone type  
voip_call_dir VoIP Call direction string Call direction: in/out  
voip_call_state VoIP Call State string Call state
Possible values: 
in / out 		  
voip_call_term_time Call termination time stamp string Call termination time stamp  
voip_duration VoIP Duration time Call duration (seconds)  
voip_media_port Media Port string Media int  
voip_media_ipp Media IP Protocol string Media IP protocol  
voip_est_codec Estimated Codec string Estimated codec  
voip_exp Expiration int Expiration  
voip_attach_sz VoIP Attachment Size int Attachment size  
voip_attach_action_info VoIP Attach Action Information  string Attachment action Info  
src_phone_number Source IP-phone string Source IP-Phone  
voip_media_codec N/A string Estimated codec  
voip_reject_reason VoIP Reject Reason string Reject reason  
voip_reason_info VoIP Reject Reason Information string Information  
voip_config VoIP Configuration string Configuration  
voip_reg_server Registrar Server ipaddr Registrar server IP address  
 VPN - Security Gateway
scv_user SCV User string Username whose packets are dropped on SCV  
scv_message_info SCV Message Information string Drop reason  
ppp Point to Point Protocol string Authentication status  
scheme Encryption Scheme string Describes the scheme used for the log  
auth_method Authentication Method string Password authentication protocol used (PAP or EAP)  
machine Machine string L2TP machine which triggered the log and the log refers to it  
vpn_feature_name VPN Feature string L2TP /IKE / Link Selection  
reject_category Reject Category string Authentication failure reason  
peer_ip_probing_status_update N/A string IP address response status  
peer_ip N/A string IP address which the client connects to  
peer_gateway VPN Peer Gateway ipaddr  Main IP of the peer Security Gateway  
link_probing_status_update N/A string IP address response status  
source_interface N/A string External Interface name for source interface or Null if not found  
next_hop_ip N/A string Next hop IP address  
srckeyid Source Key ID string  Initiator Spi ID  
dstkeyid Destination Key ID string Responder Spi ID  
encryption_failure Encryption Failure string

Message indicating why the encryption failed 

  
ike_ids N/A string All QM ids  
community Community string Community name for the IPSec key and the use of the IKEv#  
ike N/A string IKEMode (PHASE1, PHASE2, etc..)  
cookieI IKE Initiator Cookie string Initiator cookie  
cookieR IKE Responder Cookie string Responder cookie  
msgid IKE Phase2 Message ID string Message ID   
methods Encryption Methods string IPSEc methods  
connection_uid Connection UID  luuid Calculation of md5 of the IP and user name as UID  
site_name N/A string Site name  
cvpn_category Mobile Access Category string Endpoint secuirty on demand  
esod_rule_name ESOD Rule Name string Unknown rule name  
esod_rule_action ESOD Rule Action string Unknown rule action  
esod_rule_type ESOD Rule Type string Unknown rule type  
esod_noncompliance_reason ESOD Noncompliance Reason  string Non-compliance reason  
esod_associated_policies ESOD Associated Policies string Associated policies  
spyware_name Malware Name string Spyware name  
spyware_type Malware Type string Spyware type  
anti_virus_type Virus Type string Anti virus type  
end_user_firewall_type End User Firewall Type string End user firewall type  
esod_scan_status ESOD Scan Status string Scan failed  
esod_access_status ESOD access status string Access denied   
client_type N/A string Endpoint Connect  
message Message string General log message   
session_uid N/A guid SNX Session Guid   
Web Security  (VPN-1 & FireWall-1) - Security Gateway
summary N/A string URLs detected for a specific host  
resource Resource string The resource from the HTTP request  
precise_error N/A string HTTP parser error  
method N/A string HTTP method
Possible values:
0 - DELETE
500 - GET
1000 - HEAD
1500 - METHOD
2000 - OPTIONS
2500 - POST
3000 - PUT
3500 - TRACE
4000 - CONNECT
 Zero Phishing - SandBlast Agent
trusted_domain Trusted Domain string In case of phishing event, the domain, which the attacker was impersonating  

Audit logs

Field Name  Field Display Name Type Description
administrator Administrator string User who performed the operation
fieldschanges Changes string Specific changes done on the affected object
client_ip Client IP ipaddr IP address of the client machine the change was performed from
logic changes Logic Changes string Technical information about the specific changes done on the affected object 
objecttype Object Type string  The type of the affected object
operation Operation string The type of operation done on the object or rule
operation number Operation Number int Operation number done by the administrator, each operation is represented by a number 
objectname Performed On string The name of the object that is affected by the action
session_name Session Name string The name of the session the change was published on
session_description Session Description string The description of the session the change was published on
subject Subject string Audit log category

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment