Introduction

Check Point Infinity solution includes multiple log fields, representing the diversity of Check Point's products. The log fields' mapping will help you understand security threats, logs language to better use complex queries, and your SIEM.

Two types of logs are available:

• Security Logs - Generated by a Security Gateway, Harmony Endpoint, or Harmony Mobile.
• Audit Logs - Generated by a Management Server.

Working with the tables below

Each table entry contains:

Field Name	Field Display Name	Type	Description	Supported Version
Blade Display Name (Blade Name) - Product Name

Best practices for field mapping usage (SIEM integration)

In case you are using a SIEM platform and want to integrate Check Point logs into it, use the Log Exporter tool.

Disclaimer - These fields are only used for Check Point internal purposes. Therefore, these fields do not appear in the table below:

• flags
• ifdir
• ifname
• __policy_id_tag
• version
• rounded_bytes
• __interface
• mgmt
• db_tag
• update_service

Security Logs

Enter a string to filter this table:

Field Name	Field Display Name	Type	Description	Supported Version
Common Fields
	Primary Category	string	Application category
bytes	Total Bytes	int	Number of bytes received during a connection
confidence_level	Confidence Level	int	Confidence level determined by ThreatCloud Possible values: 0 - N/A 1 - Low 2 - Medium-Low 3 - Medium 4 - Medium-High 5 - High
calc_desc	Description	tring	Log description
dst	Destination	ipaddr	Destination IP address
dst_country	Destination Country	string	Destination country
dst_ip	N/A	ipaddr	Destination IP address
dst_user_name	Destination User Name	string	Connected username for the destination IP
email_id	Email ID	string	Email number in SMTP connection
email_subject	Email Subject	string	Original email subject
email_session_id	Email Session ID	string	Connection UUID
event_count	Event Count	int	Number of events associated with the log
failure_impact	Failure Impact	string	The impact of update service failure
file_id	File Id	int	Unique file identifier
file_type	File Type	string	Classified file type
file_name	File Name	string	Malicious file name / Matched file size
file_size	File Size	int	Attachment file size / Matched file size
file_md5	File MD5	string	File MD5 checksum
file_sha1	File SHA1	string	File SHA1 checksum
file_sha256	N/A	string	File SHA256 checksum
from	Sender	string	Source mail address
to	Recipient	string	Source mail recipient
id	N/A	int	Override application ID
information	Information	string	Status of policy installation for a specific Software Blade (used only for Anti-Bot and Anti-Virus)
interface_name	Interface	string	The name of the Security Gateway interface, through which a connection passes
interfacedir	Direction	string	Connection direction
layer_name (match table, TP match table)	Layer Name	string	Layer name
layer_uuid (match table, TP match table)	N/A	string	Layer UUID
log_id	Log ID	int	Unique identity for logs includes: Type, Family, Product/Blade, Category
loguid	N/A	luuid	UUID of unified logs
malware_action	Malware Action	string	Description of detected malware activity
malware_family	Malware Family	string	Additional information on protection
malware_rule_id (TP match table)	Threat Prevention Rule ID	string	Threat Prevention rule ID
malware_rule_name (TP match table)	Threat Prevention Rule Name	string	Threat Prevention rule name
matched_category (match table)	Matched Category	string	Name of the matched category
origin	Orig	string	Name of the first Security Gateway that reported this event
origin_ip	N/A	ipaddr	IP address of the Security Gateway that generated this log
origin_sic_name	N/A	string	SIC name
policy_mgmt	Policy Management	string	Name of the Management Server that manages this Security Gateway
policy_name	Policy Name	string	Name of the last policy that this Security Gateway fetched
product	Blade	string	Product name
product_family	Product Family	int	The product family the blade/product belongs to Possible values: 0 - Network 1 - Endpoint 2 - Access 3 - Threat 4 - Mobile
protection_id	Protection ID	string	Protection malware ID
protection_name	Protection Name	string	Specific signature name of the attack
protection_type	Protection Type	string	Type of protection used to detect the attack
proto	IP Protocol	int	Protocol
protocol	Protocol	string	Protocol detected on the connection
proxy_src_ip	Proxied Source IP	ipaddr	Sender source IP (even when using proxy)
reason	Reason	string	Information on the error occurred
received_bytes	Received Bytes	int	Number of bytes received during connection
resource	Resource	string	Resource from the HTTP request
rule (match table)	Rule	int	Matched rule number
rule_action	Action	string	Action of the matched rule in the access policy
rule_name (match table)	Access Rule Name	string	Access rule name
rule_uid (match table)	Policy Rule UID	string	Rule ID in the Access Control policy to which the connection was matched
scan_direction	File-Direction	string	Scan direction Possible options: 1) External/DMZ/Internal to External/DMZ/Internal 2) To/From this Security Gateway
sent_bytes	Sent Bytes	int	Number of bytes sent during the connection
session_id	Session Identification	luuid	Log UID
sequencenum	Sequencenum	int	Number added to order logs with the same Linux timestamp and origin (Security Gateway that generated these logs)
service/fservice	Destination Port	int/string	Connection (service) destination port
service_id	Service ID	string	Service found for the connection (by the destination port)
severity	Severity	int/string	Threat severity determined by ThreatCloud Possible values: 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical
source_os	Source OS	string	OS of the computer that generated the attack
src	Source	ipaddr	Client source IP address
src_ip	Source IP	ipaddr	Source IP
src_country	Source Country	string	Country name, derived from connection source IP address
src_user_name	Source User Name	string	Username connected to the source IP
s_port	Source Port	int	Source host port number
src_port	N/A	int	Source host port number
ticket_id	Ticket ID	string	Unique ID per file
time	Time	string	The timestamp when the log was created
tls_server_host_name	TLS Server Host Name	string	SNI/CN from the encrypted TLS connection used by URL Filtering for categorization	R80.40
type	Type	string	Log type
verdict	Verdict	string	Threat Emulation engine verdict Possible values: Malicious Benign Error
user	User	string	Source username
vendor_list	Vendor List	string	The vendor name that provided the verdict for a malicious URL
web_client_type	Client Type	string	Web client detected in the HTTP request (e.g: Chrome)
web_server_type	Server Type	string	Web server detected in the HTTP response
Security Gateway - Firewall Fields
inzone	Source Zone	string	Indicates whether the source zone is internal or external
outzone	Destination Zone	string	Indicates whether the destination zone is internal or external
sub_policy_name	N/A	string	Layer name
sub_policy_uid	N/A	string	Layer UID
fw_message	Firewall Message	string	Used for various firewall errors
message	Message	string	ISP link has failed
isp_link	ISP link	string	Name of ISP link
fw_subproduct	Subproduct	string	Can be VPN or non-VPN
sctp_error	N/A	string	Error information, what caused SCTP to fail due to "out_of_state"
chunk_type	N/A	string	Chuck of the SCTP stream
sctp_association_state	N/A	string	The bad state you were trying to update to
tcp_packet_out_of_state	TCP packet out of state	string	State violation
tcp_flags	TCP Flags	string	TCP packet flags (SYN, ACK, etc.,)
connectivity_level	Connectivity Level	string	Log for a new connection in wire mode
ip_option	IP Option	int	IP option that was dropped
tcp_state	N/A	string	Log with a TCP state change
expire_time	N/A	timestmp	Connection closing time
icmp_type	ICMP Type	int	In case a connection is ICMP, type info will be added to the log
icmp_code	ICMP Code	int	In case a connection is ICMP, ICMP code info will be added to the log
rpc_prog	RPC Program	int	Log for new RPC state - prog values
dce-rpc_interface_uuid	DCE-RPC Interface UUID	uuid	Log for new RPC state - UUID values
start_time	Start Time	timestmp	Session start time
elapsed	Elapsed	time	Time passed since start time
packets	Packets	int	Number of packets encountered in connection
client_inbound_packets	Client Inbound Packets	int	Number of packets, received by the client
client_outbound_packets	Client Outbound Packets	int	Number of packets, sent from the client
server_inbound_packets	Server Inbound Packets	int	Number of packets, received by the server
server_outbound_packets	Server Outbound Packets	int	Number of packets, sent from the server
client_inbound_bytes	Client Inbound Bytes	int	Number of bytes received by the client
client_outbound_bytes	Client Outbound Bytes	int	Number of bytes sent from the client
server_inbound_bytes	Server Inbound Bytes	int	Number of packets received by the server
server_outbound_bytes	Server Outbound Bytes	int	Number of packets sent from the server
client_inbound_interface	Client Inbound Interface	string	Gateway interface, where the connection is received from in case of an outbound connection
client_outbound_interface	Client Outbound Interface	string	Gateway interface, where the connection is sent from, in case of an inbound connection
server_inbound_interface	Server Inbound Interface	string	Gateway interface, where the connection is received from, in case of an inbound connection
server_outbound_interface	Server Outbound Interface	string	Gateway interface, where the connection is sent from, in case of an outbound connection
icmp	ICMP	string	ICMP message, will be added to the connection log
capture_uuid	Captured UUID	luuid	UUID generated for the capture. Used when enabling the capture when logging.
diameter_app_name	N/A	string	The name defined/pre-configured for the diameter application
diameter_app_ID	N/A	int	The ID of diameter application
diameter_cmd_code	N/A	int	Diameter not allowed application command id
diameter_msg_type	N/A	string	Diameter message type
info	Information	string	Rule information on the blocked diameter CMD
cp_message	N/A	string	Used to log a general message
log_delay	Log Delay	int	Time left before deleting template
Security Gateway - Anti-Spam Fields
email_spam_category	Email Spam Category	string	Email categories Possible values: Spam Not spam Phishing
email_control	Email Control	string	Engine name
email_control_analysis	Email Control Analysis	string	Message classification, received from spam vendor engine
email_session_id	Email Session ID	string	Internal session ID
email_id	Email ID	string	Internal email ID
email_recipients_num	Email Recipients Number	int	Number of recipients
from	From	string	Sender email address
to	Recipient	string	Recipient email address
reason	Reason	string	Description of log's reason
Security Gateway - Anti-Virus Fields
scan_result	Scan Result	string	"Infected", or description of a failure
triggered_by	N/A	string	Engine or Software Blade that triggered the log
original_queue_id	Original Queue ID	string	Original Postfix email queue ID
risk	N/A	string	Risk level received from the engine
resource	Resource	string	In case of a malicious URL, the resource field will include that URL
email_recipients_num	Email Recipients Number	int	Number of recipients
observable_name	N/A	string	IoC observable signature name
observable_id	N/A	string	IoC observable signature ID
observable_comment	N/A	string	IoC observable signature description
indicator_name	Indicator Name	string	IoC indicator name
indicator_description	N/A	string	IoC indicator description
indicator_reference	N/A	string	IoC indicator reference
indicator_uuid	N/A	string	IoC indicator UUID
reason	Reason	string	Description of the log's reason
Security Gateway - Application Control & URL Filtering Fields
appi_name (match table)	Application Name	string	Application name
app_desc (match table)	Application Description	string	Application description
app_id (match table)	Application ID	int	Application ID
app_properties (match table)	Additional Categories	string	Application categories
app_risk (match table)	Application Risk	int	Application risk Possible values: 0 - Unknown 1 - Very Low 2 - Low 3 - Medium 4 - High 5 - Critical
app_rule_id	Application Rule ID	string	Rule number
app_rule_name	Application Rule Name	string	Rule name
app_sig_id (match table)	Application Signature ID	string	The signature ID, by which the application was detected
categories	Categories	string	Matched categories
certificate_resource	Resource	string	HTTPS resource Possible values: SNI or domain name (DN)	R80.40
certificate_validation	Certificate Validation	string	Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature	R80.40
description	Description	string	Additional explanation about the certificate validation failure	R80.40
usercheck_incident_uid	UserCheck ID	string	UserCheck incident ID
resource	Resource	string	HTTP connection resource
browse_time	Browse Time	time	Application session browse time
limit_requested	N/A	int	Indicates whether data limit was requested for the session
limit_applied	N/A	int	Indicates whether the session was actually date-limited
dropped_outgoing	N/A	int	Number of outgoing dropped packets
dropped_incoming	N/A	int	Number of incoming dropped packets
dropped_total	N/A	int	Number of dropped packets (both incoming and outgoing)
suppressed_logs	Suppressed Logs	int	Number of connections/HTTP sessions that were aggregated in this application session log
match_id (match table)	N/A	int	Mapping of matched rule to its matched application
client_type_os	N/A	string	Client OS detected in the HTTP request
referrer	N/A	string	The referrer header, if exists
name	N/A	string	Application name
properties (match table)	N/A	string	Application categories
risk	N/A	int	Application risk
sig_id	N/A	string	Application's signature ID, by which it was detected
desc	N/A	string	Override application description
referrer_self_uid	N/A	guid	UUID of the current log
referrer_parent_uid	N/A	guid	Log UUID of the referring application
needs_browse_time	N/A	int	Browse time required for the connection
security_inzone	N/A	string	Source security zone
security_outzone	N/A	string	Destination security zone
url	URL	string	Matched URL
Security Gateway - Cluster Fields
cluster_info	Cluster information	string	Cluster information Possible options: Failover reason Cluster state changes CP ClusterXL or 3rd party cluster
sync	Synchronization	string	Sync status and the reason (stable, at risk)
Security Gateway - Content Awareness Fields
file_direction	File Direction	string	File direction Possible options: upload download
invalid_file_size	N/A	int	The "file_size" field is valid only if this field is set to 0
top_archive_file_name	Archive File	string	In case of archive file: the file that was sent/received
data_type_name	Data Type	string	Data type in rulebase that was matched
specific_data_type_name	N/A	string	Compound/Group scenario, data type that was matched
word_list	N/A	string	Words matched by data type
Security Gateway - Data Loss Prevention (DLP) Fields
info	Information	string	Special log message
outgoing_url	Outgoing URL	string	URL related to this log (for HTTP)
dlp_rule_name	DLP Rule Name	string	Matched rule name
dlp_recipients	DLP Recipients	string	Mail recipients
dlp_subject	Mail Subject	string	Mail subject
dlp_word_list	DLP Words List	string	Phrases matched by data type
dlp_template_score	DLP Template Score	string	Template data type match score
message_size	Message Size	int	Mail/post size
dlp_rule_name	DLP Rule Name	string	Matched rule name
dlp_rule_uid	DLP Rule UID	string	Unique ID of the matched rule
dlp_incident_uid	DLP Incident UID	guid	Unique incident ID
dlp_related_incident_uid	Related Incidents	guid	Other ID related to this one
dlp_data_type_name	DLP Data Type Nam	string	Matched data type
dlp_data_type_uid	Data Type UID	string	Unique ID of the matched data type
outgoing_url	Outgoing URL	string	HTTP post URL
dlp_file_name	Scanned Data Fragment	string	Matched file
dlp_violation_description	Message to User	string	Violation descriptions described in the rulebase
dlp_relevant_data_types	N/A	string	In case of Compound/Group: the inner data types that were matched
dlp_action_reason	DLP Action Reason	string	Action chosen reason
dlp_categories	DLP Categories	string	Data type category
dlp_transint	DLP Transint	string	HTTP/SMTP/FTP
duplicate	Duplicate	string	Log marked as duplicated, when mail is split, and the Security Gateway detects it two times
incident_extension	Incident Extension	string	Format of original data
matched_file	Matched File	string	Fingerprint: the file from FP repository that was matched by the traffic
matched_file_text_segments	Matched File Text Segments	int	Fingerprint: number of text segments matched by this traffic
matched_file_percentage	Matched File Percentage	int	Fingerprint: match percentage of the traffic
dlp_addtional_action	DLP Additional Action	string	Watermark or None
dlp_watermark_profile	DLP Watermark Profile	string	Watermark that was applied
dlp_repository_id	Repository ID	string	ID of scanned repository
dlp_data_type_uid	Data Type UID	string	Fingerprint data type ID
dlp_data_type_name	DLP Data Type Name	string	Fingerprint data type name
dlp_repository_root_path	DLP Repository Root path	string	Repository path
scan_id	Scan ID	string	Sequential number of scan
special_properties	Special properties	int	If this field is set to '1', then the log is not shown (used for monitoring the scan progress)
dlp_repository_total_size	Repository size (MB)	int	Repository size
dlp_repository_files_number	Repository files	int	Number of files in repository
dlp_repository_scanned_files_number	Scanned files	int	Number of scanned files in repository
duration	Duration	time	Scan duration
dlp_fingerprint_long_status	Scan Status	string	Scan status - long format
dlp_fingerprint_short_status	Scan Status Code	string	Scan status - short format
dlp_repository_directories_number	Directories	int	Number of directories in repository
dlp_repository_unreachable _directories_number	Unreachable directories	int	Number of directories the Security Gateway was unable to read
dlp_fingerprinted_files_number	Fingerprinted Files	int	Number of successfully scanned files in repository
dlp_repository_skipped_files_number	Filtered Files	int	Skipped number of files because of configuration
dlp_repository_scanned_directories_number	N/A	int	Number of directories scanned
number_of_errors	Number of Errors	int	Number of files that were not scanned due to an error
next_scheduled_scan_date	Next Scheduled Scan Date	timestamp	Next scan scheduled time according to time object
dlp_repository_scanned_total_size	Scanned Size (MB)	int	Size scanned
dlp_repository_scanned_files_number	Scanned Files	int	Number of scanned files in repository
dlp_repository_reached_directories_number	Reachable Directories	int	Number of scanned directories in repository
dlp_fingerprint_short_status	Scan Status Code	string	Scan status - short format
dlp_repository_not_ scanned_directories_percentage	Not scanned directories percentage	int	Percentage of directories the Security Gateway was unable to read
dlp_repository_scanned_directories_number	Directories scanned	int	Number of files that were not scanned due to an error
speed	N/A	int	Current scan speed
dlp_repository_scan_progress	N/A	int	Scan percentage
dlp_relevant_data_types	DLP Relevant Data Types	string	If the matched data type is a group data type, then the field specifies which data types from that group were matched
Security Gateway - HTTPS Inspection Fields
https_inspection_rule_id	HTTPS Inspection Rule ID	string	ID of the matched rule
https_inspection_rule_name	HTTPS Inspection Rule Name	string	Name of the matched rule
app_properties (match table)	Additional Categories	string	List of all found categories
resource	Resource	string	HTTPS resource Possible values: SNI or domain name
https_validation	HTTPS Validation	string	Precise error, describing HTTPS inspection failure
https_inspection_action	Inspection Action	string	HTTPS Inspection action (Inspect/Bypass/Error)
Security Gateway - ICAP Client Fields
icap_service_id	N/A	int	Service ID, can work with multiple servers, treated as "services"
icap_server_name	N/A	string	Server name
internal_error	N/A	string	Internal error, for troubleshooting
verdict	Verdict	string	Enforcement per HTTP connection Possible values: Accept, Block-Reject, Data-modification
icap_more_info	N/A	string	Free text for verdict
reply_status	N/A	int	ICAP reply status code, e.g., 200 or 204
icap_server_service	N/A	string	Service name, as given in the ICAP URI
mirror_and_decrypt_type	N/A	string	Information about decrypt and forward Possible values: Mirror only Decrypt and Mirror Partial mirroring (HTTPS Inspection Bypass)
interface_name	N/A	string	Designated interface for Mirror and Decrypt
session_uid	N/A	int	HTTP session ID
Security Gateway - Identity Awareness Fields
broker_publisher	Broker Publisher	ipaddr	IP address of the broker publisher who shared the session information	R80.40
src_machine_name	Source Machine Name	string	Machine name connected to the source IP address
src_user_dn	N/A	string	User distinguished name connected to the source IP address
proxy_user_name	N/A	string	Username connected to the proxy IP address
proxy_machine_name	N/A	string	Machine name connected to the proxy IP address
proxy_user_dn	N/A	string	User distinguished name connected to the proxy IP address
dst_machine_name	Destination Machine Name	string	Machine name connected to the destination IP address
Security Gateway - IPS Fields
resource	Resource	string	Malicious domain
query	Query	string	DNS query
dns_query	DNS query	string	DNS query
dns_type	DNS Type	string	DNS query type
inspection_item	N/A	string	Blade element performed inspection
performance_impact	Performance Impact	int	Protection performance impact
inspection_category	N/A	string	Inspection category: protocol anomaly, signature etc.
inspection_profile	N/A	string	Profile which the activated protection belongs to
inspection_information	N/A	string	Attack or violation description
message	Message	string	Additional information
suppressed_logs	Suppressed Logs	int	Total number of aggregated malicious connections
summary	N/A	string	Summary message for non-compliant DNS traffic drops or detects
tid	Tunnel ID	int	DNS Transaction ID
dns_message_type	N/A	string	DNS message type Possible values: Query Response Authoritative response
question_rdata	N/A	string	List of question records domains
answer_rdata	N/A	string	List of answer resource records to the questioned domains
authority_rdata	N/A	string	List of authoritative servers
additional_rdata	N/A	string	List of additional resource records
files_names	N/A	string	List of files requested by FTP
ftp_user	N/A	string	FTP username
mime_from	N/A	string	Sender's address
mime_to	N/A	string	List of receiver address
cc	N/A	string	List of CC addresses
bcc	N/A	string	List of BCC addresses
content_type	Content Type	string	Mail content type Possible values: application msword text/html image/gif etc.
subject	Subject	string	Mail subject
user_agent	N/A	string	String that identifies the requesting software user-agent
referrer	N/A	string	Referrer HTTP request header, previous web page address.
http_location	N/A	string	Response header, indicates the URL to redirect a page to
content_disposition	N/A	string	Indicates how the content is expected to be displayed inline in the web browser
via	N/A	string	"Via" header is added by proxies for tracking purposes to avoid sending requests in loop
http_server	N/A	string	Server HTTP header value, contains information about the software used by the origin server, which handles the request
content_length	N/A	string	Indicates the size of the entity-body of the HTTP header
method	N/A	string	HTTP method (GET, POST, PUT, etc.)
status	Status	string	HTTP status code
authorization	N/A	string	Authorization HTTP header value
http_host	N/A	string	Domain name of the server that the HTTP request is sent to
industry_reference	Industry Reference	string	CVE registry entry
inspection_settings_log	N/A	string	Indicates that the log was released by inspection settings
Security Gateway - Mail Transfer Agent (MTA) Fields
email_control	Email Control	string	Engine name
email_message_id	Email Message ID	string	Email session ID (unique ID of the mail)
email_session_id	Email Session ID	string	Internal session ID
email_recipients_num	Email Recipients Number	int	Number of recipients
email_id	Email ID	string	Internal email ID
email_queue_id	Email Queue ID	string	Postfix email queue ID
email_queue_name	Email Queue Name	string	Postfix email queue name
original_queue_id	Original Queue ID	string	Original postfix email queue ID
file_name	File Name	string	Malicious file name
failure_reason	Failure Reason	string	MTA failure description
email_headers	N/A	string	String containing all the email headers
arrival_time	Arrival Time	timestmp	Email arrival timestamp
email_status	Email Status	string	Describes the email's state Possible options: delivered deferred skipped bounced hold new scan_started scan_ended
status_update	Last status update	timestmp	Last time log was updated
original_queue_id	Original Queue ID	string	Original postfix email queue ID
scan_started	Scan Started	timestmp	Beginning of the scanning process timestamp
scan_ended	Scan Ended	timestmp	End of the scanning process timestamp
delivery_time	Delivery Time	timestmp	Timestamp of when email was delivered (MTA finished handling the email
links_num	Links Number	int	Number of links in the mail
attachments_num	Attachments Number	int	Number of attachments in the mail
email_content	Email Content	string	Mail contents Possible options: attachments/links attachments/links/text only
Security Gateway - Mobile Access Fields
user_group	User Group	string	The group to which the user belongs, upon login
cvpn_resource	Application	string	Mobile Access application
cvpn_category	Mobile Access Category	string	Mobile Access application type
url	URL	string	Translated URL
outgoing_url	Outgoing Url	string	Untranslated URL, as seen inside the internal network
reject_id	Reject ID	string	A reject ID that corresponds to the one presented in the Mobile Access error page
fs-proto	N/A	string	The file share protocol used in Mobile Access File Share application
session_uid	Mobile Access Session UID	guid	Mobile Access session identification
Security Gateway - NAT Fields
allocated_ports	Allocated Ports	int	Amount of allocated NAT ports	R80.40
capacity	Capacity	int	Capacity of the NAT ports	R80.40
ports_usage	Ports Usage	int	Percentage of allocated NAT ports	R80.40
nat_exhausted_pool	Nat Exhausted Pool	string	4-tuple of an exhausted NAT pool	R80.40 R80.10 - R80.30 Jumbo Hotfixes
xlatesrc	Xlate (NAT) Source IP	ipaddr	Source IPv4 address after applying NAT
xlatedst	Xlate (NAT) Destination IP	ipaddr	Destination IPv4 address after applying NAT
xlatesint	Xlate (NAT) Source Port	int	Source port after applying Hide NAT on the source IP address
xlatedint	Xlate (NAT) Destination Port	int	Destination port after applying NAT
nat_rulenum	NAT Rule Number	int	NAT rulebase first matched rule
nat_addtnl_rulenum	NAT Additional Rule Number	int	When matching 2 automatic rules, the second rule match is shown. Otherwise, this field has the value 0.
message_info	Message Information	string	Used for information messages, for example: NAT connection has ended
nat46	N/A	string	NAT46 status In most cases "enabled"
end_time	N/A	timestmp	TCP connection end time
tcp_end_reason	N/A	string	Reason for TCP connection closure
nat_rulenum	NAT Rule Number	int	NAT rulebase first matched rule
cgnet	N/A	string	Describes the NAT allocation for specific subscriber
subscriber	N/A	ipaddr	Source IP address before CGNAT
hide_ip	N/A	ipaddr	Source IP address to be used after CGNAT
int_start	N/A	int	Subscriber start integer to be used for NAT
int_end	N/A	int	Subscriber end integer to be used for NAT
Security Gateway - SecureXL Fields
drop_reason	Drop Reason	string	Aggregated logs of dropped packets
packet_amount	N/A	int	Number of packets dropped
packets	Packets	string	Connection tuple: Source IP address Source Port Destination IP address Destination Port Protocol Number
monitor_reason	N/A	string	Aggregated logs of monitored packets
message_info	Message Information	string	Information on multicast packet dropped
drops_amount	N/A	int	Amount of multicast packets dropped
securexl_message	N/A	string	Two options for a SecureXL message: 1. Missed accounting records after heavy load on the logging system 2. FireWall log message regarding a packet drop
conns_amount	N/A	int	Number of connections in the aggregated log
aggregation_info	N/A	string	List of aggregated source connections
Security Gateway - Threat Emulation Fields Harmony Endpoint - Threat Emulation Fields
scope	Scope	ipvxaddr	IP address related to the attack
analyzed_on	Analyzed On	string	Check Point ThreatCloud / emulator name
detected_on	Vulnerable Operating Systems	string	System and applications version, on which the file was emulated
dropped_file_name	Dropped File Name	string	List of names dropped from the original file
dropped_file_type	Dropped File Type	string	List of file types dropped from the original file
dropped_file_hash	Dropped File Hash	string	List of file hashes dropped from the original file
dropped_file_verdict	Dropped File Verdict	string	List of file verdicts dropped from the original file
emulated_on	Not Vulnerable OS	string	Images, in which the files were emulated
extracted_file_type	Extracted File Type	string	Types of extracted files in case of an archive
extracted_file_names	Extracted File Names	string	Names of extracted files in case of an archive
extracted_file_hash	Extracted File Hash	string	Archive hash in case of extracted files
extracted_file_verdict	N/A	string	Verdict of extracted files in case of an archive
extracted_file_uid	N/A	string	UID of extracted files in case of an archive
mitre_initial_access	Mitre Initial Access	string	The adversary is trying to break into your network
mitre_execution	Mitre Execution	string	The adversary is trying to run malicious code
mitre_persistence	Mitre Persistence	string	The adversary is trying to maintain his foothold
mitre_privilege_escalation	Mtre Privilege Escalation	string	The adversary is trying to gain higher-level permissions
mitre_defense_evasion	Mitre Defense Evasion	string	The adversary is trying to avoid being detected
mitre_credential_access	Mitre Credential Access	string	The adversary is trying to steal account names and passwords
mitre_discovery	Mitre Discovery	string	The adversary is trying to expose information about your environment
mitre_lateral_movement	Mitre Lateral Movement	string	The adversary is trying to explore your environment
mitre_collection	Mitre Collection	string	The adversary is trying to collect data of interest to achieve his goal
mitre_command_and_control	Mitre Command And Control	string	The adversary is trying to communicate with compromised systems to control them
mitre_exfiltration	Mitre Exfiltration	string	The adversary is trying to steal data
mitre_impact	Mitre Impact	string	The adversary is trying to manipulate, interrupt, or destroy your systems and data
parent_file_hash	N/A	string	Archive's hash in case of extracted files
parent_file_name	N/A	string	Archive's name in case of extracted files
parent_file_uid	N/A	string	Archive's UID in case of extracted files
similiar_iocs	Similar IoCs	string	Other IoCs, similar to the ones found, related to the malicious file
similar_hashes	Similar Hashes	string	Hashes found similar to the malicious file
similar_strings		string	Strings found similar to the malicious file
similar_communication	Similar Communication	string	Network action found similar to the malicious file
te_verdict_determined_by	Determined By	string	Emulators determined file verdict
packet_capture_unique_id	Packet Capture Unique Id	string	Identifier of the packet capture files
total_attachments	Total Attachments	int	The number of attachments in an email
Security Gateway - Threat Extraction Fields Harmony Endpoint - Threat Extraction Fields
additional_info	General Information	string	ID of original file/mail which are sent by admin
content_risk	Content Risk	int	File risk Possible values: 0 - Unknown 1 - Very Low 2 - Low 3 - Medium 4 - High 5 - Critical
operation	Operation	string	Operation made by Threat Extraction
scrubbed_content	Suspicious Content	string	Active content that was found
scrub_time	N/A	string	Extraction process duration
scrub_download_time	N/A	string	File download time from resource
scrub_total_time	N/A	string	Threat extraction total file handling time
scrub_activity	Threat Extraction Activity	string	The result of the extraction
subject	Subject	string	Mail subject
watermark	N/A	string	Reports whether watermark is added to the cleaned file
Security Gateway - Unified Policy Fields
domain_name	Domain Name	string	Domain name sent to DNS request
source_object	N/A	string	Matched object name on source column
destination_object	N/A	string	Matched object name on destination column
drop_reason	Drop Reason	string	Drop reason description
hit	N/A	int	Number of hits on a rule
rulebase_id	N/A	int	Layer number
first_hit_time	N/A	int	First hit time in current interval
last_hit_time	Last Update Time	int	Last hit time in current interval
rematch_info	N/A	string	Information sent when old connections cannot be matched during policy installation
last_rematch_time	N/A	timestmp	Connection rematched time
action_reason	Action Reason	string	Connection drop reason
c_bytes	N/A	int	Boolean value indicates whether bytes sent from the client side are used
context_num	N/A	int	Serial number of the log for a specific connection
match_id (match table)	N/A	int	Private key of the rule
alert (UP alert hll table)	Alert	string	Alert level of matched rule (for connection logs)
action	Action	int	Action of matched rule Possible values: 0 - Drop 1 - Reject 2 - Accept 3 - Encrypt 4 - Decrypt 17 - Authorize 18 - Deauthorize 30 - Bypass 33 - Block 34 - Detect 39 - Do not send 43 - Allow 46 - Ask User 61 - Extract Note: This field is not mandatory to every log
parent_rule (match table)	N/A	int	Parent rule number, in case of inline layer
match_fk	N/A	int	Rule number
dropped_outgoing	N/A	int	Number of outgoing bytes dropped when using UP-limit feature
dropped_incoming	N/A	int	Number of incoming bytes dropped when using UP-limit feature
dropped_total	N/A	int	Total bytes dropped when using UP-limit feature
Security Gateway - VoIP Fields
content_type	Content Type	string	VoIP session
media_type	N/A	string	Media used (audio, video, etc.)
sip_reason	SIP Reason	string	Explains why 'source_ip' is not allowed to redirect (handover)
voip_method	Request	string	Registration request
registered_ip-phones	N/A	string	Registered IP-Phones
voip_reg_user_type	Registered IP-Phone Type	string	Registered IP-Phone type
voip_call_id	VoIP Call ID	string	Call-ID
voip_reg_int	Registration Port	int	Registration port
voip_reg_ipp	Registration IP Protocol	int	Registration IP protocol
voip_reg_period	Registration Period	int	Registration period
voip_log_type	VoIP Log Type	string	VoIP log types Possible values: reject, call, registration
voip_method	Request	string	Call request
src_phone_number	Source IP-phone	string	Source IP -Phone
voip_from_user_type	Source IP-Phone Type	string	Source IP-Phone type
dst_phone_number	Destination Phone Number	string	Destination IP-Phone
voip_to_user_type	Destination IP-Phone Type	string	Destination IP-Phone type
voip_call_dir	VoIP Call direction	string	Call direction: in/out
voip_call_state	VoIP Call State	string	Call state Possible values: in out
voip_call_term_time	Call termination time stamp	string	Call termination time stamp
voip_duration	VoIP Duration	time	Call duration (seconds)
voip_media_port	Media Port	string	Media port
voip_media_ipp	Media IP Protocol	string	Media IP protocol
voip_est_codec	Estimated Codec	string	Estimated codec
voip_exp	Expiration	int	Expiration
voip_attach_sz	VoIP Attachment Size	int	Attachment size
voip_attach_action_info	VoIP Attach Action Information	string	Attachment action information
src_phone_number	Source IP-phone	string	Source IP-Phone
voip_media_codec	N/A	string	Estimated codec
voip_reject_reason	VoIP Reject Reason	string	Reject reason
voip_reason_info	VoIP Reject Reason Information	string	Information
voip_config	VoIP Configuration	string	Configuration
voip_reg_server	Registrar Server	ipaddr	Registrar server IP address
Security Gateway - VPN Fields
scv_user	SCV User	string	Username, whose packets are dropped during Secure Configuration Verification (SCV)
scv_message_info	SCV Message Information	string	Drop reason
ppp	Point to Point Protocol	string	Authentication status
scheme	Encryption Scheme	string	Describes the scheme used for the log
auth_method	Authentication Method	string	Password authentication protocol used (PAP or EAP)
machine	Machine	string	L2TP machine which triggered the log and the log refers to it
vpn_feature_name	VPN Feature	string	L2TP / IKE / Link Selection
reject_category	Reject Category	string	Authentication failure reason
peer_ip_probing_status_update	N/A	string	IP address response status
peer_ip	N/A	string	IP address which the client connects to
peer_gateway	VPN Peer Gateway	ipaddr	Main IP address of the VPN peer Security Gateway
link_probing_status_update	N/A	string	IP address response status
source_interface	N/A	string	External Interface name for source interface or Null if not found
next_hop_ip	N/A	string	Next hop IP address
srckeyid	Source Key ID	string	Initiator SPI ID
dstkeyid	Destination Key ID	string	Responder SPI ID
encryption_failure	Encryption Failure	string	Message indicating why the encryption failed
ike_ids	N/A	string	All Quick Mode (QM) IDs
community	Community	string	Community name for the IPsec key and the use of the IKE
ike	N/A	string	IKEMode (PHASE1, PHASE2, etc.)
cookieI	IKE Initiator Cookie	string	Initiator cookie
cookieR	IKE Responder Cookie	string	Responder cookie
msgid	IKE Phase2 Message ID	string	Message ID
methods	Encryption Methods	string	IPsec methods
connection_uid	Connection UID	luuid	Calculation of MD5 of the IP address and username as UID
site_name	N/A	string	VPN Site name
cvpn_category	Mobile Access Category	string	Endpoint Security On Demand (ESOD)
esod_rule_name	ESOD Rule Name	string	Unknown rule name
esod_rule_action	ESOD Rule Action	string	Unknown rule action
esod_rule_type	ESOD Rule Type	string	Unknown rule type
esod_noncompliance_reason	ESOD Noncompliance Reason	string	Non-compliance reason
esod_associated_policies	ESOD Associated Policies	string	Associated policies
spyware_name	Malware Name	string	Spyware name
spyware_type	Malware Type	string	Spyware type
anti_virus_type	Virus Type	string	Anti-Virus type
end_user_firewall_type	End User Firewall Type	string	End user firewall type
esod_scan_status	ESOD Scan Status	string	Scan failed
esod_access_status	ESOD access status	string	Access denied
client_type	N/A	string	Endpoint Connect
message	Message	string	General log message
session_uid	N/A	guid	SNX Session GUID
Security Gateway - Web Security Fields
summary	N/A	string	URLs detected for a specific host
resource	Resource	string	The resource from the HTTP request
precise_error	N/A	string	HTTP parser error
method	N/A	string	HTTP method Possible values: 0 - DELETE 500 - GET 1000 - HEAD 1500 - METHOD 2000 - OPTIONS 2500 - POST 3000 - PUT 3500 - TRACE 4000 - CONNECT
Harmony Endpoint - Common Fields
client_name	Client Name	string	Client Application or Software Blade that detected the event
client_version	Product Version	string	Build version of Harmony Endpoint client installed on the computer
extension_version	Extension Version	string	Build version of the Harmony Endpoint Browse Extension
host_time	Host Time	string	Local time on the endpoint computer
installed_products	Installed Blades	string	List of installed Endpoint Software Blades
os_name	OS Name	string	Name of the OS installed on the source endpoint computer
os_version	OS Version	string	Build version of the OS installed on the source endpoint computer
packet_capture	Packet Capture	string	Link to the PCAP traffic capture file with the recorded malicious connection
process_md5	Process MD5	string	MD5 hash of the process that triggered the attack
process_name	Process Name	string	Name of the process that triggered the attack
cc	CC	string	The Carbon Copy address of the email
reason	Reason	string	The reason for detecting or stopping the attack
resource	Resource	string	URL, Domain, or DNS of the malicious request
Harmony Endpoint - Anti-Bot Fields
first_detection	First Detection	string	Time of the first detection of the infection
last_detection	Last Detection	string	Time of the last detection of the infection
parent_process_md5	Parent Process MD5	string	MD5 hash of the parent process of the process that triggered the attack
parent_process_name	Parent Process Name	string	Name of the parent process of the process that triggered the attack
parent_process_username	Parent Process Username	string	Owner username of the parent process of the process that triggered the attack
process_username	Process Username	string	Owner username of the process that triggered the attack
Harmony Endpoint - Anti-Malware Fields
destination_dns_hostname	Destination DNS Hostname	string	Malicious DNS request domain
smartdefense_profile (TP match table)	Threat Profile	string	IPS profile responsible for the decision about the action
email_session_id	Email Session ID	string	Email session ID (unique ID of the mail)
email_recipients_num	Email Recipients Number	string	Number of recipients to whom the mail was sent
suppressed_logs	Suppressed logs	int	Aggregated connections for five minutes on the same source, destination, and port
blade_name	N/A	string	Software Blade name
status	status	int	Ok Warning Error
short_desc	N/A	string	Short description of the process that was executed
long_desc	N/A	string	More information on the process (usually describing error reason in failure)
scan_hosts_hour	N/A	int	Number of unique hosts during the last hour
scan_hosts_day	N/A	int	Number of unique hosts during the last day
scan_hosts_week	N/A	int	Number of unique hosts during the last week
unique_detected_hour	N/A	int	Detected virus for a specific host during the last hour
unique_detected_day	N/A	int	Detected virus for a specific host during the last day
unique_detected_week	N/A	int	Detected virus for a specific host during the last week
scan_mail	N/A	int	Number of emails that were scanned by the "Anti-Bot malicious activity" engine
additional_ip	Additional IP	string	DNS host name
description	Description	string	Additional explanation how the security gateway enforced the connection
Harmony Endpoint - Forensics Fields
attack_status	Attack Status	string	In case of a malicious event on an endpoint computer, the status of the attack
impacted_files	Impacted Files	string	In case of an infection on an endpoint computer, the list of files that the malware impacted
remediated_files	Remediated Files	string	In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer
triggered_by	Triggered By	string	The name of the mechanism that triggered the Software Blade to enforce a protection
Harmony Endpoint - Zero Phishing Fields
trusted_domain	Trusted Domain	string	In case of phishing event, the domain, which the attacker was impersonating
Harmony Mobile App Fields
app_package	App Package	string	Unique identifier of the application on the protected mobile device	R80.20
appi_name	Application Name	string	Name of application downloaded on the protected mobile device	R80.20
app_repackaged	Application Repackaged	string	Indicates whether the original application was repackaged not by the official developer	R80.20
app_sid_id	Application Signature ID	string	Unique SHA identifier of a mobile application	R80.20
app_version	Application Version	string	Version of the application downloaded on the protected mobile device	R80.20
developer_certificate_name	Developer Certificate Name	string	Name of the developer's certificate that was used to sign the mobile application	R80.20

Audit logs

Enter a string to filter this table:

Field Name	Field Display Name	Type	Description
administrator	Administrator	string	User who performed the operation
fieldschanges	Changes	string	Specific changes done on the affected object
client_ip	Client IP	ipaddr	IP address of the client machine, from which the change was performed
logic changes	Logic Changes	string	Technical information about the specific changes done on the affected object
objecttype	Object Type	string	The type of the affected object
operation	Operation	string	The type of operation done on the object or rule
operation number	Operation Number	int	Operation number done by the administrator, each operation is represented by a number Show / Hide this section 0 - Create Object 1 - Update Object 2 - Rename Object 3 - Delete Object 4 - Unlock Object 5 - Ublock Table 6 - Unlock Database 7 - Install Security policy 8 - Uninstall Security policy 9 - Status Change 10 - Log in 11 - Login Failed 12 - Logout 13 - Init Sic Certificate 14 - Push Sic Certificate 15 - Revoke Sic Certificate 16 - Init IKE Key 17 - Disable IKE Key 18 - Generate IKE Certificate 19 - Revoke IKE Certificate 20 - OMSEC Command 21 - Kill Operation 22 - Restore Version 23 - Create Version 24 - Delete Version 25 - Automatic Log Export 26 - Synchronize Peer 27 - Synchronized By Peer 28 - Change to Active 29 - Change to Standby 30 - Detect Active Server 31 - General Database Change 32 - Put File 33 - Fetch File 34 - SmartUpdate Install Module 35 - SmartUpdate Uninstall Module 36 - MDS License Violation Detected 37 - CMA Synchronized by an SMC Backup Server 38 - System Message 39 - MDS Assign Global Policy and Install Last Policy 40 - MDS Assign Global Policy 41 - MDS Install Last Policy 42 - MDS Remove Global Policy 43 - MDS Start CMA 44 - MDS Stop CMA 45 - MDS Enable Global Use 46 - MDS Disable Global Use 47 - VSX Configuration Update 48 - Set Session Description 49 - Log Export 50 - Log Switch 51 - Log Purge 52 - Plugin Activate 53 - Plugin Deactivate 54 - Validation Failure 55 - P1SHELL Command 56 - MDS License Operation 57 - Portable Client Password Recovery 58 - Security Management Server IP Address Changed 59 - DLP Incident Viewed 60 - IPS Contract Invalid
objectname	Performed On	string	The name of the object that is affected by the action
session_name	Session Name	string	The name of the session, in which the change was published
session_description	Session Description	string	The description of the session, in which the change was published
subject	Subject	string	Audit log category