Log Fields

Field Display Name	Check Point Field Name	Description	Output Example
`Action`	`action`	Response to attack, as defined by policy.	`prevent`
`Action Details`	`action_details`	Description of the detected malicious action.	`Communicating with a Command and control server`
`Analyzed On`	`analyzed_on`	Where the detected resource was analyzed.	`"Check Point Threat Emulation Cloud";`
`App Package`	`app_package`	Unique identifier of the application on the protected mobile device.	`com.facebook.katana`
`Application Name`	`appi_name`	Name of the application downloaded on the protected mobile device.	`Free Music MP3 Player`
`Application Repackaged`	`app_repackaged`	Indicates whether the original application was repackage not by the official developer.	`TRUE`
`Application Signature ID`	`app_sig_id`	Unique SHA identifier of a mobile application.	`b65113323 31bc8bc64 e8bdb1cd9 15592b29f 4606`
`Application Version`	`app_version`	Version of the application downloaded on the protected mobile device.	`1.3`
`Attack Information`	`attack_info`	Description of the vulnerability in case of a host or network vulnerability.	`Linux EternalRed Samba Remote Code Execution`
`Attack Name`	`attack`	Name of the vulnerability category in case of a host or network vulnerability.	`Windows SMB Protection Violation`
`Attack Status`	`attack_status`	In case of a malicious event on an endpoint computer, the status of the attack.	`Active`
`Attacker Phone Number`	`attacker_phone_number`	In case of a malicious SMS, shows the phone number of the sender of the malicious link inside the SMS.	`15712244010`
`BCC`	`bcc`	The Blind Carbon Copy address of the email.	`mail@example.com`
`Blade`	`product`	Name of the Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..	`Anti-Bot`
`BSSID`	`bssid`	The unique MAC address of the Wi-Fi network related to the Wi-Fi attack against a mobile device.	`98:FC:11:B9:24:12`
`Bytes (sent\received)`	Aggregation of: `sent_bytes` `received_bytes`	Amount of bytes that was sent and received in the attack.	`24 B \ 118 B`
`CC`	`cc`	The Carbon Copy address of the email.	`mail@example.com`
`Certificate Name`	`certificate_name`	The Common Name that identifies the host name associated with the certificate.	`Piso-Nuevo`
`Client Name`	`client_name`	Client Application or Software Blade that detected the event.	`Check Point Endpoint Security Client`
`Confidence Level`	`confidence_level`	Detection confidence based on Check Point ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware..	`Medium`
`Content Risk`	`content_risk`	The risk of the extracted content from a document.	`4 - high`
`Dashboard Event ID`	`dashboard_event_id`	Unique ID for the event in the Cloud Dashboard .	`1729`
`Dashboard Origin`	`dashboard_orig`	Name of the Cloud Mobile Dashboard.	`SBM Cloud management`
`Dashboard Time`	`dashboard_time`	Cloud Mobile Dashboard time when the log was created.	`7th july 2018 22:27`
`Description`	`description`	Additional information about detected attack, or the error related to the connection.	`Check Point Online Web Service failure. See sk74040 for more information.`
`Destination`	`dst`	Attack destination IP address.	`192.168.22.2`
`Determined By`	`te_verdict_determined_by`	Emulators that determined the file is malicious.	`Win7 64b,Office 2010,Adobe 11: local cache. Win7,Office 2013,Adobe 11: local cache.`
`Developer Certificate Name`	`developer_certificate_name`	Name of the developer's certificate that was used to sign the mobile application.	`iPhone Developer (6MZTQJDTZ)`
`Developer Certificate Sha`	`developer_certificate_sha`	Certificate SHA of the developer's certificate that was used to sign the mobile application.	`Sha1`
`Device ID`	`device_identification`	Unique ID of the mobile device.	`2739`
`Direction`	`interfacedir`	Connection direction.	`'inbound'; 'outbound'`
`Email Recipients Number`	`email_recipients_num`	The number of recipients, who received the same email.	`6`
`Email Subject`	`email_subject`	The subject of the email that was inspected by Check Point.	`invoice #43662`
`Extension Version`	`extension_version`	Build version of the SandBlast Agent browser extension.	`SandBlast Extension 990.45.6`
`Extracted File Hash`	`extracted_file_hash`	In case of an archive file, the list of hashes of archived files.	`8e3951897 bf8371e60 10e3254b9 9e86d`
`Extracted File Names`	`extracted_file_names`	In case of an archive file, the list of archived file names.	`malicious.js`
`Extracted File Types`	`extracted_file_types`	In case of an archive file, the archived file types.	`js`
`Extracted File Verdict`	`extracted_file_verdict`	In case of an archive file, the verdict for internal files.	`malicious`
`File Direction`	`file_direction`	In case of a malicious file that was found by Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., the direction of the connection: Incoming - for download Outgoing - for upload	`Incoming`
`File MD5`	`file_md5`	MD5 hash of the detected file.	`8e3951897 bf8371e60 10e3254b9 9e86d`
`File Name`	`file_name`	Name of the detected file.	`malicious.exe`
`File SHA1`	`file_sha1`	SHA1 hash of the detected file.	`4d48c297e 2cd81b1ee 786a71fc1 a3def1786 19aa`
`File SHA256`	`file_sha256`	SHA256 hash of the detected file.	`110d6ae80 2d229a810 5f3185525 b5ce2cf9e 151f2462b f407db6e8 32ccac56fa`
`File Size`	`file_size`	Size (in bytes) of the detected file.	`8.4KB`
`File Type+A23`	`file_type`	Extension of the detected file.	`wsf`
`First Detection`	`first_detection`	Time of the first detection of the infection.	`1th january 2018`
`Geographic Location`	`calc_geo_location`	In case of a malicious activity on the mobile device, the location of the mobile device (in the format: Longitude, Latitude).	`32.0686513, 34.7945463`
`Hardware Model`	`hardware_model`	Mobile device hardware model.	`Samsung A900`
`Host Time`	`host_time`	Local time on the endpoint computer.	`7th july 2018 22:27`
`Host Type`	`host_type`	Type of the source endpoint computer.	`Desktop`
`Impacted Files`	`impacted_files`	In case of an infection on an endpoint computer, the list of files that the malware impacted.	`privatedoc.txt; image.png`
`Industry Reference`	`industry_reference`	Link to the related MITRE vulnerability documentation.	`https://cve.mitre.org/ cgi-bin/ cvename.cgi? name=CVE-2017-0148`
`Installed Blades`	`installed_products`	List of installed Endpoint Software Blade.	`Anti-Ransomware, Anti-Exploit, Anti-Bot`
`Interface`	`interfaceName`	The name of the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., through which a connection traverses.	`eth1`
`Jailbreak Information`	`jailbreak_message`	Indicates whether the integrity of the mobile device OS is violated: True - The OS is Jailbroken or Rooted. False - The OS is intact.	`TRUE`
`Last Detection`	`last_detection`	Time of the last detection of the infection.	`2th january 2018`
`Malware Action`	`malware_action`	Description of the detected malware activity.	`'DNS query for a site known to be malicious';`
`Malware Family`	`malware_family`	Name of the malware related to the malicious IOC.	`Locky`
`MDM ID`	`mdm_id`	Mobile Device ID on the MDM system.	`4718`
`Network Certificate`	`network_certificate`	Public key of the certificate that was used for SSL interception.	`example.com`
`Not Vulnerable OS`	`emulated_on`	Emulators that did not found the file malicious.	`Win7 64b,Office 2010,Adobe 11`
`Origin`	`orig`	Name of the first Security Gateway that reported this event.	`My_GW`
`OS Name`	`os_name`	Name of the OS installed on the source endpoint computer.	`Windows 7 Professional N Edition`
`OS Version`	`os_version`	Build version of the OS installed on the source endpoint computer.	`6.1-7601-SP1.0-SMP`
`Packet Capture`	`packet_capture`	Link to the PCAP traffic capture file with the recorded malicious connection.
`Parent Process MD5`	`parent_process_md5`	MD5 hash of the parent process of the process that triggered the attack.	`d41d8cd98 f00b204e9 800998ecf 8427e`
`Parent Process Name`	`parent_process_name`	Name of the parent process of the process that triggered the attack.	`cmd.exe`
`Parent Process Username`	`parent_process_username`	Owner username of the parent process of the process that triggered the attack.	`johndoe`
`Performance Impact`	`performance_impact`	IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Signature performance impact on the Security Gateway.	`Medium`
`Phone Number`	`phone_number`	The phone number of the mobile device.	`15712244010`
`Policy`	`policy_date`	Date of the last policy fetch.	`1th january 2018`
`Policy Management`	`policy_mgmt`	Name of the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Security Gateway.	`My_MGMT_server`
`Policy Name`	`policy_name`	Name of the last policy that this Security Gatewayfetched.	`My_Perimeter`
`Process MD5`	`process_md5`	MD5 hash of the process that triggered the attack.	`d41d8cd98 f00b204e9 800998ecf 8427e`
`Process Name`	`process_name`	Name of the process that triggered the attack.	`bot.exe`
`Process Username`	`process_username`	Owner username of the process that triggered the attack.	`johndoe`
`Product Family`	`product_family`	Name of the Software Blade family.	`Threat`
`Product Version`	`client_version`	Build version of SandBlast Agent client installed on the computer.	`80.85.7076`
`Protection Name`	`protection_name`	Specific name of the attack signature.	`'Exploited doc document'`
`Protection Type`	`protection_type`	Type of the protection used to detect the attack.	`SMTP Emulation`
`Reason`	`reason`	The reason for detecting or stopping the attack.	`Internal error occurred, could not connect to cws.checkpoint.com:80". Check proxy configuration on the gateway."`
`Recipient`	`to`	Destination email address.	`recipient@example.com`
`Remediated Files`	`remediated_files`	In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.	`malicious.exe, dropper.exe`
`Resource`	`resource`	URL, Domain, or DNS of the malicious request.	`www[.]maliciousdomain[.]xyz`
`Risk`	`file_risk`	Shows the risk rate, in case the Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. Software Blade found a suspicious content.	`4`
`Scope`	`scope`	Protected scope defined in the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..	`192.168.1.3`
`Sender`	`from`	Source email address.	`sender@example.com`
`Service`	`service_name`	Protocol and destination port.	`http [tcp/80]`
`Severity`	`severity`	Incident severity level based on Check Point ThreatCloud.	`High`
`Source`	`src`	Attack source IP address.	`91.2.22.28`
`Source IP-phone`	`src_phone_number`	The phone number of the source mobile device.	`15712244010`
`Source Port`	`s_port`	Source port of the connection.	`35125`
`SSID`	`ssid`	The name of the Wi-Fi network, in case a suspicious or malicious event was found in SandBlast Mobile.	`Airport_Free_Wifi`
`Subject`	`subject`	The subject of the email that was inspected by Check Point.	`invoice #43662`
`Suppressed logs`	`suppressed_logs`	Shows the number of malicious connection attempts in a burst. Burst - A series of repeated connection attempts within a very short time period. The attempted connections must all have the same: Source Destination Protocol	`72`
`Suspicious Content`	`scrubbed_content`	Shows the content that Threat Extraction Software Blade removed.	`Embedded Objects:`
`System App`	`system_app`	Indicates whether the detected app is installed in the device ROM.	`False`
`Threat Extraction Activity`	`scrub_activity`	Description of the risky active content that the Security Gateway found and cleaned.	`Active content was found - DOCX file was converted to PDF`
`Threat Profile`	`smartdefense_profile`	Name of the IPS profile, if it is managed separately from other Threat Prevention Software Blade.	`Recommended_IPS_internal`
`Time`	`time`	The time stamp when the log was created.	`7th july 2018 22:27`
`Total Attachments`	`total_attachments`	The number of attachments in an email.	`3`
`Triggered By`	`triggered_by`	The name of the mechanism that triggered the Software Blade to enforce a protection.	`SandBlast Anti-Ransomware`
`Trusted Domain`	`trusted_domain`	In case of phishing event, the domain, which the attacker was impersonating.	`www.checkpoint.com`
`Type`	`type`	Log type.	`log`
`Vendor List`	`vendor_list`	The vendor name that provided the verdict for a malicious URL.	`Check Point ThreatCloud`
`Verdict`	`verdict`	Verdict of the malicious activity/File.	`Malicious`
`Vulnerable OS`	`detected_on`	Emulators that found the file malicious.	`Win7 Office 2013 Adobe 11 WinXP Office 2003/7 Adobe 9`