Log Fields
|
Field Display Name |
Check Point Field Name |
Description |
Output Example |
|---|---|---|---|
|
|
|
Response to attack, as defined by policy. |
|
|
|
|
Description of the detected malicious action. |
|
|
|
|
Where the detected resource was analyzed. |
|
|
|
|
Unique identifier of the application on the protected mobile device. |
|
|
|
|
Name of the application downloaded on the protected mobile device. |
|
|
|
|
Indicates whether the original application was repackage not by the official developer. |
|
|
|
|
Unique SHA identifier of a mobile application. |
|
|
|
|
Version of the application downloaded on the protected mobile device. |
|
|
|
|
Description of the vulnerability in case of a host or network vulnerability. |
|
|
|
|
Name of the vulnerability category in case of a host or network vulnerability. |
|
|
|
|
In case of a malicious event on an endpoint computer, the status of the attack. |
|
|
|
|
In case of a malicious SMS, shows the phone number of the sender of the malicious link inside the SMS. |
|
|
|
|
The Blind Carbon Copy address of the email. |
|
|
|
|
Name of the Software Blade. |
|
|
|
|
The unique MAC address of the Wi-Fi network related to the Wi-Fi attack against a mobile device. |
|
|
|
Aggregation of:
|
Amount of bytes that was sent and received in the attack. |
|
|
|
|
The Carbon Copy address of the email. |
|
|
|
|
The Common Name that identifies the host name associated with the certificate. |
|
|
|
|
Client Application or Software Blade that detected the event. |
|
|
|
|
Detection confidence based on Check Point ThreatCloud. |
|
|
|
|
The risk of the extracted content from a document. |
|
|
|
|
Unique ID for the event in the Cloud Dashboard . |
|
|
|
|
Name of the Cloud Mobile Dashboard. |
|
|
|
|
Cloud Mobile Dashboard time when the log was created. |
|
|
|
|
Additional information about detected attack, or the error related to the connection. |
|
|
|
|
Attack destination IP address. |
|
|
|
|
Emulators that determined the file is malicious. |
|
|
|
|
Name of the developer's certificate that was used to sign the mobile application. |
|
|
|
|
Certificate SHA of the developer's certificate that was used to sign the mobile application. |
|
|
|
|
Unique ID of the mobile device. |
|
|
|
|
Connection direction. |
|
|
|
|
The number of recipients, who received the same email. |
|
|
|
|
The subject of the email that was inspected by Check Point. |
|
|
|
|
Build version of the SandBlast Agent browser extension. |
|
|
|
|
In case of an archive file, the list of hashes of archived files. |
|
|
|
|
In case of an archive file, the list of archived file names. |
|
|
|
|
In case of an archive file, the archived file types. |
|
|
|
|
In case of an archive file, the verdict for internal files. |
|
|
|
|
In case of a malicious file that was found by Anti-Virus, the direction of the connection:
|
|
|
|
|
MD5 hash of the detected file. |
|
|
|
|
Name of the detected file. |
|
|
|
|
SHA1 hash of the detected file. |
|
|
|
|
SHA256 hash of the detected file. |
|
|
|
|
Size (in bytes) of the detected file. |
|
|
|
|
Extension of the detected file. |
|
|
|
|
Time of the first detection of the infection. |
|
|
|
|
In case of a malicious activity on the mobile device, the location of the mobile device (in the format: Longitude, Latitude). |
|
|
|
|
Mobile device hardware model. |
|
|
|
|
Local time on the endpoint computer. |
|
|
|
|
Type of the source endpoint computer. |
|
|
|
|
In case of an infection on an endpoint computer, the list of files that the malware impacted. |
|
|
|
|
Link to the related MITRE vulnerability documentation. |
|
|
|
|
List of installed Endpoint Software Blade. |
|
|
|
|
The name of the Security Gateway, through which a connection traverses. |
|
|
|
|
Indicates whether the integrity of the mobile device OS is violated:
|
|
|
|
|
Time of the last detection of the infection. |
|
|
|
|
Description of the detected malware activity. |
|
|
|
|
Name of the malware related to the malicious IOC. |
|
|
|
|
Mobile Device ID on the MDM system. |
|
|
|
|
Public key of the certificate that was used for SSL interception. |
|
|
|
|
Emulators that did not found the file malicious. |
|
|
|
|
Name of the first Security Gateway that reported this event. |
|
|
|
|
Name of the OS installed on the source endpoint computer. |
|
|
|
|
Build version of the OS installed on the source endpoint computer. |
|
|
|
|
Link to the PCAP traffic capture file with the recorded malicious connection. |
|
|
|
|
MD5 hash of the parent process of the process that triggered the attack. |
|
|
|
|
Name of the parent process of the process that triggered the attack. |
|
|
|
|
Owner username of the parent process of the process that triggered the attack. |
|
|
|
|
IPS Signature performance impact on the Security Gateway. |
|
|
|
|
The phone number of the mobile device. |
|
|
|
|
Date of the last policy fetch. |
|
|
|
|
Name of the Management Server that manages this Security Gateway. |
|
|
|
|
Name of the last policy that this Security Gatewayfetched. |
|
|
|
|
MD5 hash of the process that triggered the attack. |
|
|
|
|
Name of the process that triggered the attack. |
|
|
|
|
Owner username of the process that triggered the attack. |
|
|
|
|
Name of the Software Blade family. |
|
|
|
|
Build version of SandBlast Agent client installed on the computer. |
|
|
|
|
Specific name of the attack signature. |
|
|
|
|
Type of the protection used to detect the attack. |
|
|
|
|
The reason for detecting or stopping the attack. |
|
|
|
|
Destination email address. |
|
|
|
|
In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. |
|
|
|
|
URL, Domain, or DNS of the malicious request. |
|
|
|
|
Shows the risk rate, in case the Threat Extraction Software Blade found a suspicious content. |
|
|
|
|
Protected scope defined in the rule. |
|
|
|
|
Source email address. |
|
|
|
|
Protocol and destination port. |
|
|
|
|
Incident severity level based on Check Point ThreatCloud. |
|
|
|
|
Attack source IP address. |
|
|
|
|
The phone number of the source mobile device. |
|
|
|
|
Source port of the connection. |
|
|
|
|
The name of the Wi-Fi network, in case a suspicious or malicious event was found in SandBlast Mobile. |
|
|
|
|
The subject of the email that was inspected by Check Point. |
|
|
|
|
Shows the number of malicious connection attempts in a burst. Burst - A series of repeated connection attempts within a very short time period. The attempted connections must all have the same:
|
|
|
|
|
Shows the content that Threat Extraction Software Blade removed. |
|
|
|
|
Indicates whether the detected app is installed in the device ROM. |
|
|
|
|
Description of the risky active content that the Security Gateway found and cleaned. |
|
|
|
|
Name of the IPS profile, if it is managed separately from other Threat Prevention Software Blade. |
|
|
|
|
The time stamp when the log was created. |
|
|
|
|
The number of attachments in an email. |
|
|
|
|
The name of the mechanism that triggered the Software Blade to enforce a protection. |
|
|
|
|
In case of phishing event, the domain, which the attacker was impersonating. |
|
|
|
|
Log type. |
|
|
|
|
The vendor name that provided the verdict for a malicious URL. |
|
|
|
|
Verdict of the malicious activity/File. |
|
|
|
|
Emulators that found the file malicious. |
|