diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 5fc1de68d05..84fb9d345b2 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.4" + changes: + - description: Change mapping type of checkpoint.source_object to keyword from integer. + type: bugfix + link: https://github.com/elastic/integrations/pull/2951 - version: "1.3.3" changes: - description: Add documentation for multi-fields diff --git a/packages/checkpoint/data_stream/firewall/fields/beats.yml b/packages/checkpoint/data_stream/firewall/fields/beats.yml index a3aee09c721..e272492dea3 100644 --- a/packages/checkpoint/data_stream/firewall/fields/beats.yml +++ b/packages/checkpoint/data_stream/firewall/fields/beats.yml @@ -7,9 +7,6 @@ - description: Offset of the entry in the log file. name: log.offset type: long -- description: Path to the log file. - name: log.file.path - type: keyword - description: Name of the service data is collected from. name: destination.service.name type: keyword diff --git a/packages/checkpoint/data_stream/firewall/fields/ecs.yml b/packages/checkpoint/data_stream/firewall/fields/ecs.yml index df2551ec3c1..455851010db 100644 --- a/packages/checkpoint/data_stream/firewall/fields/ecs.yml +++ b/packages/checkpoint/data_stream/firewall/fields/ecs.yml @@ -70,6 +70,8 @@ name: event.ingested - external: ecs name: event.kind +- external: ecs + name: event.original - external: ecs name: event.outcome - external: ecs @@ -232,3 +234,5 @@ name: user_agent.original - external: ecs name: vulnerability.id +- external: ecs + name: log.file.path diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml index e46ad29fddb..a389420a0c4 100644 --- a/packages/checkpoint/data_stream/firewall/fields/fields.yml +++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml @@ -2,720 +2,686 @@ type: group release: beta fields: - - name: confidence_level + - name: action_reason type: integer description: | - Confidence level determined by ThreatCloud. - - name: calc_desc + Connection drop reason. + - name: action_reason_msg type: keyword + overwrite: true description: | - Log description. - - name: dst_country + Connection drop reason message. + - name: additional_info type: keyword description: | - Destination country. - - name: dst_user_name + ID of original file/mail which are sent by admin. + - name: additional_ip type: keyword description: | - Connected user name on the destination IP. - - name: email_id + DNS host name. + - name: additional_rdata type: keyword description: | - Email number in smtp connection. - - name: email_subject + List of additional resource records. + - name: alert type: keyword description: | - Original email subject. - - name: email_session_id - type: keyword + Alert level of matched rule (for connection logs). + - name: allocated_ports + type: integer description: | - Connection uuid. - - name: event_count - type: long + Amount of allocated ports. + - name: analyzed_on + type: keyword description: | - Number of events associated with the log. - - name: sys_message + Check Point ThreatCloud / emulator name. + - name: answer_rdata type: keyword description: | - System messages - - name: logid + List of answer resource records to the questioned domains. + - name: anti_virus_type type: keyword description: | - System messages - - name: failure_impact + Anti virus type. + - name: app_desc type: keyword description: | - The impact of update service failure. - - name: id + Application description. + - name: app_id type: integer description: | - Override application ID. - - name: information + Application ID. + - name: app_package type: keyword description: | - Policy installation status for a specific blade. - - name: layer_name + Unique identifier of the application on the protected mobile device. + - name: app_properties type: keyword description: | - Layer name. - - name: layer_uuid + List of all found categories. + - name: app_repackaged type: keyword description: | - Layer UUID. - - name: log_id - type: integer - description: | - Unique identity for logs. - - name: malware_family + Indicates whether the original application was repackage not by the official developer. + - name: app_sid_id type: keyword description: | - Additional information on protection. - - name: origin_sic_name + Unique SHA identifier of a mobile application. + - name: app_sig_id type: keyword description: | - Machine SIC. - - name: policy_mgmt + IOC indicator description. + - name: app_version type: keyword description: | - Name of the Management Server that manages this Security Gateway. - - name: policy_name + Version of the application downloaded on the protected mobile device. + - name: appi_name type: keyword description: | - Name of the last policy that this Security Gateway fetched. - - name: protection_id + Name of application downloaded on the protected mobile device. + - name: arrival_time type: keyword description: | - Protection malware id. - - name: protection_name - type: keyword + Email arrival timestamp. + - name: attachments_num + type: integer description: | - Specific signature name of the attack. - - name: protection_type + Number of attachments in the mail. + - name: attack_status type: keyword description: | - Type of protection used to detect the attack. - - name: protocol + In case of a malicious event on an endpoint computer, the status of the attack. + - name: audit_status type: keyword description: | - Protocol detected on the connection. - - name: proxy_src_ip - type: ip - description: | - Sender source IP (even when using proxy). - - name: rule - type: integer + Audit Status. Can be Success or Failure. + - name: auth_method + type: keyword description: | - Matched rule number. - - name: rule_action + Password authentication protocol used (PAP or EAP). + - name: authority_rdata type: keyword description: | - Action of the matched rule in the access policy. - - name: scan_direction + List of authoritative servers. + - name: authorization type: keyword description: | - Scan direction. - - name: session_id + Authorization HTTP header value. + - name: bcc type: keyword description: | - Log uuid. - - name: source_os + List of BCC addresses. + - name: blade_name type: keyword description: | - OS which generated the attack. - - name: src_country + Blade name. + - name: broker_publisher + type: ip + description: | + IP address of the broker publisher who shared the session information. + - name: browse_time type: keyword description: | - Country name, derived from connection source IP address. - - name: src_user_name + Application session browse time. + - name: c_bytes + type: integer + description: | + Boolean value indicates whether bytes sent from the client side are used. + - name: calc_desc type: keyword description: | - User name connected to source IP - - name: ticket_id + Log description. + - name: capacity + type: integer + description: | + Capacity of the ports. + - name: capture_uuid type: keyword description: | - Unique ID per file. - - name: tls_server_host_name + UUID generated for the capture. Used when enabling the capture when logging. + - name: cc type: keyword description: | - SNI/CN from encrypted TLS connection used by URLF for categorization. - - name: verdict + The Carbon Copy address of the email. + - name: certificate_resource type: keyword description: | - TE engine verdict Possible values: Malicious/Benign/Error. - - name: user + HTTPS resource Possible values: SNI or domain name (DN). + - name: certificate_validation type: keyword description: | - Source user name. - - name: vendor_list + Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. + - name: cgnet type: keyword description: | - The vendor name that provided the verdict for a malicious URL. - - name: web_server_type + Describes NAT allocation for specific subscriber. + - name: chunk_type type: keyword description: | - Web server detected in the HTTP response. + Chunck of the sctp stream. - name: client_name type: keyword description: | Client Application or Software Blade that detected the event. - - name: client_version + - name: client_type type: keyword description: | - Build version of SandBlast Agent client installed on the computer. - - name: extension_version + Endpoint Connect. + - name: client_type_os type: keyword description: | - Build version of the SandBlast Agent browser extension. - - name: host_time + Client OS detected in the HTTP request. + - name: client_version type: keyword description: | - Local time on the endpoint computer. - - name: installed_products + Build version of SandBlast Agent client installed on the computer. + - name: cluster_info type: keyword description: | - List of installed Endpoint Software Blades. - - name: cc + Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. + - name: comment type: keyword - description: | - The Carbon Copy address of the email. - - name: parent_process_username + - name: community type: keyword description: | - Owner username of the parent process of the process that triggered the attack. - - name: process_username - type: keyword + Community name for the IPSec key and the use of the IKEv. + - name: confidence_level + type: integer description: | - Owner username of the process that triggered the attack. - - name: audit_status + Confidence level determined by ThreatCloud. + - name: conn_direction type: keyword - description: | - Audit Status. Can be Success or Failure. - - name: objecttable + description: Connection direction + - name: connection_uid type: keyword description: | - Table of affected objects. - - name: objecttype + Calculation of md5 of the IP and user name as UID. + - name: connectivity_level type: keyword description: | - The type of the affected object. - - name: operation_number + Log for a new connection in wire mode. + - name: conns_amount + type: integer + description: | + Connections amount of aggregated log info. + - name: content_disposition type: keyword description: | - The operation nuber. - - name: email_recipients_num - type: long + Indicates how the content is expected to be displayed inline in the browser. + - name: content_length + type: keyword description: | - Amount of recipients whom the mail was sent to. - - name: suppressed_logs + Indicates the size of the entity-body of the HTTP header. + - name: content_risk type: integer description: | - Aggregated connections for five minutes on the same source, destination and port. - - name: blade_name + File risk. + - name: content_type type: keyword description: | - Blade name. - - name: status - type: keyword + Mail content type. Possible values: application/msword, text/html, image/gif etc. + - name: context_num + type: integer description: | - Ok/Warning/Error. - - name: short_desc + Serial number of the log for a specific connection. + - name: cookieI type: keyword description: | - Short description of the process that was executed. - - name: long_desc + Initiator cookie. + - name: cookieR type: keyword description: | - More information on the process (usually describing error reason in failure). - - name: scan_hosts_hour + Responder cookie. + - name: cp_message type: integer description: | - Number of unique hosts during the last hour. - - name: scan_hosts_day - type: integer - description: | - Number of unique hosts during the last day. - - name: scan_hosts_week - type: integer - description: | - Number of unique hosts during the last week. - - name: unique_detected_hour - type: integer - description: | - Detected virus for a specific host during the last hour. - - name: unique_detected_day - type: integer - description: | - Detected virus for a specific host during the last day. - - name: unique_detected_week - type: integer - description: | - Detected virus for a specific host during the last week. - - name: scan_mail - type: integer - description: | - Number of emails that were scanned by "AB malicious activity" engine. - - name: additional_ip + Used to log a general message. + - name: cvpn_category type: keyword description: | - DNS host name. - - name: description + Mobile Access application type. + - name: cvpn_resource type: keyword description: | - Additional explanation how the security gateway enforced the connection. - - name: email_spam_category + Mobile Access application. + - name: data_type_name type: keyword description: | - Email categories. Possible values: spam/not spam/phishing. - - name: email_control_analysis + Data type in rulebase that was matched. + - name: db_ver type: keyword - description: | - Message classification, received from spam vendor engine. - - name: scan_results + description: Database version + - name: dce-rpc_interface_uuid type: keyword description: | - "Infected"/description of a failure. - - name: original_queue_id + Log for new RPC state - UUID values + - name: delivery_time type: keyword description: | - Original postfix email queue id. - - name: risk + Timestamp of when email was delivered (MTA finished handling the email. + - name: desc type: keyword description: | - Risk level we got from the engine. - - name: observable_name + Override application description. + - name: description type: keyword description: | - IOC observable signature name. - - name: observable_id + Additional explanation how the security gateway enforced the connection. + - name: destination_object type: keyword description: | - IOC observable signature id. - - name: observable_comment + Matched object name on destination column. + - name: detected_on type: keyword description: | - IOC observable signature description. - - name: indicator_name + System and applications version the file was emulated on. + - name: developer_certificate_name type: keyword description: | - IOC indicator name. - - name: indicator_description - type: keyword + Name of the developer's certificate that was used to sign the mobile application. + - name: diameter_app_ID + type: integer description: | - IOC indicator description. - - name: indicator_reference - type: keyword + The ID of diameter application. + - name: diameter_cmd_code + type: integer description: | - IOC indicator reference. - - name: indicator_uuid + Diameter not allowed application command id. + - name: diameter_msg_type type: keyword description: | - IOC indicator uuid. - - name: app_desc + Diameter message type. + - name: dlp_action_reason type: keyword description: | - Application description. - - name: app_id - type: integer - description: | - Application ID. - - name: app_sig_id + Action chosen reason. + - name: dlp_additional_action type: keyword description: | - IOC indicator description. - - name: certificate_resource + Watermark/None. + - name: dlp_categories type: keyword description: | - HTTPS resource Possible values: SNI or domain name (DN). - - name: certificate_validation + Data type category. + - name: dlp_data_type_name type: keyword description: | - Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. - - name: browse_time + Matched data type. + - name: dlp_data_type_uid type: keyword description: | - Application session browse time. - - name: limit_requested - type: integer - description: | - Indicates whether data limit was requested for the session. - - name: limit_applied - type: integer - description: | - Indicates whether the session was actually date limited. - - name: dropped_total + Unique ID of the matched data type. + - name: dlp_fingerprint_files_number type: integer description: | - Amount of dropped packets (both incoming and outgoing). - - name: client_type_os + Number of successfully scanned files in repository. + - name: dlp_fingerprint_long_status type: keyword description: | - Client OS detected in the HTTP request. - - name: name + Scan status - long format. + - name: dlp_fingerprint_short_status type: keyword description: | - Application name. - - name: properties + Scan status - short format. + - name: dlp_incident_uid type: keyword description: | - Application categories. - - name: sig_id + Unique ID of the matched rule. + - name: dlp_recipients type: keyword description: | - Application's signature ID which how it was detected by. - - name: desc + Mail recipients. + - name: dlp_related_incident_uid type: keyword description: | - Override application description. - - name: referrer_self_uid + Other ID related to this one. + - name: dlp_relevant_data_types type: keyword description: | - UUID of the current log. - - name: referrer_parent_uid - type: keyword + In case of Compound/Group: the inner data types that were matched. + - name: dlp_repository_directories_number + type: integer description: | - Log UUID of the referring application. - - name: needs_browse_time + Number of directories in repository. + - name: dlp_repository_files_number type: integer description: | - Browse time required for the connection. - - name: cluster_info + Number of files in repository. + - name: dlp_repository_id type: keyword description: | - Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. - - name: sync - type: keyword + ID of scanned repository. + - name: dlp_repository_not_scanned_directories_percentage + type: integer description: | - Sync status and the reason (stable, at risk). - - name: file_direction + Percentage of directories the Security Gateway was unable to read. + - name: dlp_repository_reached_directories_number + type: integer + description: | + Number of scanned directories in repository. + - name: dlp_repository_root_path type: keyword description: | - File direction. Possible options: upload/download. - - name: invalid_file_size + Repository path. + - name: dlp_repository_scan_progress type: integer description: | - File_size field is valid only if this field is set to 0. - - name: top_archive_file_name - type: keyword + Scan percentage. + - name: dlp_repository_scanned_directories_number + type: integer description: | - In case of archive file: the file that was sent/received. - - name: data_type_name - type: keyword + Amount of directories scanned. + - name: dlp_repository_scanned_files_number + type: integer description: | - Data type in rulebase that was matched. - - name: specific_data_type_name - type: keyword + Number of scanned files in repository. + - name: dlp_repository_scanned_total_size + type: integer description: | - Compound/Group scenario, data type that was matched. - - name: word_list - type: keyword + Size scanned. + - name: dlp_repository_skipped_files_number + type: integer description: | - Words matched by data type. - - name: info - type: keyword + Skipped number of files because of configuration. + - name: dlp_repository_total_size + type: integer description: | - Special log message. - - name: outgoing_url - type: keyword + Repository size. + - name: dlp_repository_unreachable_directories_number + type: integer description: | - URL related to this log (for HTTP). + Number of directories the Security Gateway was unable to read. - name: dlp_rule_name type: keyword description: | Matched rule name. - - name: dlp_recipients - type: keyword - description: | - Mail recipients. - name: dlp_subject type: keyword description: | Mail subject. - - name: dlp_word_list - type: keyword - description: | - Phrases matched by data type. - name: dlp_template_score type: keyword description: | Template data type match score. - - name: message_size - type: integer - description: | - Mail/post size. - - name: dlp_incident_uid + - name: dlp_transint type: keyword description: | - Unique ID of the matched rule. - - name: dlp_related_incident_uid + HTTP/SMTP/FTP. + - name: dlp_violation_description type: keyword description: | - Other ID related to this one. - - name: dlp_data_type_name + Violation descriptions described in the rulebase. + - name: dlp_watermark_profile type: keyword description: | - Matched data type. - - name: dlp_data_type_uid + Watermark which was applied. + - name: dlp_word_list type: keyword description: | - Unique ID of the matched data type. - - name: dlp_violation_description + Phrases matched by data type. + - name: dns_query type: keyword description: | - Violation descriptions described in the rulebase. - - name: dlp_relevant_data_types + DNS query. + - name: drop_reason type: keyword description: | - In case of Compound/Group: the inner data types that were matched. - - name: dlp_action_reason + Drop reason description. + - name: dropped_file_hash type: keyword description: | - Action chosen reason. - - name: dlp_categories + List of file hashes dropped from the original file. + - name: dropped_file_name type: keyword description: | - Data type category. - - name: dlp_transint + List of names dropped from the original file. + - name: dropped_file_type type: keyword description: | - HTTP/SMTP/FTP. - - name: duplicate + List of file types dropped from the original file. + - name: dropped_file_verdict type: keyword description: | - Log marked as duplicated, when mail is split and the Security Gateway sees it twice. - - name: incident_extension - type: keyword + List of file verdics dropped from the original file. + - name: dropped_incoming + type: integer description: | - Matched data type. - - name: matched_file - type: keyword + Number of incoming bytes dropped when using UP-limit feature. + - name: dropped_outgoing + type: integer description: | - Unique ID of the matched data type. - - name: matched_file_text_segments + Number of outgoing bytes dropped when using UP-limit feature. + - name: dropped_total type: integer description: | - Fingerprint: number of text segments matched by this traffic. - - name: matched_file_percentage + Amount of dropped packets (both incoming and outgoing). + - name: drops_amount type: integer description: | - Fingerprint: match percentage of the traffic. - - name: dlp_additional_action + Amount of multicast packets dropped. + - name: dst_country type: keyword description: | - Watermark/None. - - name: dlp_watermark_profile + Destination country. + - name: dst_phone_number type: keyword description: | - Watermark which was applied. - - name: dlp_repository_id + Destination IP-Phone. + - name: dst_user_name type: keyword description: | - ID of scanned repository. - - name: dlp_repository_root_path + Connected user name on the destination IP. + - name: dstkeyid type: keyword description: | - Repository path. - - name: scan_id + Responder Spi ID. + - name: duplicate type: keyword description: | - Sequential number of scan. - - name: special_properties - type: integer - description: | - If this field is set to '1' the log will not be shown (in use for monitoring scan progress). - - name: dlp_repository_total_size - type: integer - description: | - Repository size. - - name: dlp_repository_files_number - type: integer - description: | - Number of files in repository. - - name: dlp_repository_scanned_files_number - type: integer - description: | - Number of scanned files in repository. + Log marked as duplicated, when mail is split and the Security Gateway sees it twice. - name: duration type: keyword description: "Scan duration. \n" - - name: dlp_fingerprint_long_status + - name: elapsed type: keyword description: | - Scan status - long format. - - name: dlp_fingerprint_short_status + Time passed since start time. + - name: email_content type: keyword description: | - Scan status - short format. - - name: dlp_repository_directories_number - type: integer - description: | - Number of directories in repository. - - name: dlp_repository_unreachable_directories_number - type: integer - description: | - Number of directories the Security Gateway was unable to read. - - name: dlp_fingerprint_files_number - type: integer + Mail contents. Possible options: attachments/links & attachments/links/text only. + - name: email_control + type: keyword description: | - Number of successfully scanned files in repository. - - name: dlp_repository_skipped_files_number - type: integer + Engine name. + - name: email_control_analysis + type: keyword description: | - Skipped number of files because of configuration. - - name: dlp_repository_scanned_directories_number - type: integer + Message classification, received from spam vendor engine. + - name: email_headers + type: keyword description: | - Amount of directories scanned. - - name: number_of_errors - type: integer + String containing all the email headers. + - name: email_id + type: keyword description: | - Number of files that were not scanned due to an error. - - name: next_scheduled_scan_date + Email number in smtp connection. + - name: email_message_id type: keyword - description: "Next scan scheduled time according to time object. \n" - - name: dlp_repository_scanned_total_size - type: integer description: | - Size scanned. - - name: dlp_repository_reached_directories_number - type: integer + Email session id (uniqe ID of the mail). + - name: email_queue_id + type: keyword description: | - Number of scanned directories in repository. - - name: dlp_repository_not_scanned_directories_percentage - type: integer + Postfix email queue id. + - name: email_queue_name + type: keyword description: | - Percentage of directories the Security Gateway was unable to read. - - name: speed - type: integer + Postfix email queue name. + - name: email_recipients_num + type: long description: | - Current scan speed. - - name: dlp_repository_scan_progress - type: integer + Amount of recipients whom the mail was sent to. + - name: email_session_id + type: keyword description: | - Scan percentage. - - name: sub_policy_name + Connection uuid. + - name: email_spam_category type: keyword description: | - Layer name. - - name: sub_policy_uid + Email categories. Possible values: spam/not spam/phishing. + - name: email_status type: keyword description: | - Layer uid. - - name: fw_message + Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended + - name: email_subject type: keyword description: | - Used for various firewall errors. - - name: message + Original email subject. + - name: emulated_on type: keyword description: | - ISP link has failed. - - name: isp_link + Images the files were emulated on. + - name: encryption_failure type: keyword description: | - Name of ISP link. - - name: fw_subproduct + Message indicating why the encryption failed. + - name: end_time type: keyword description: | - Can be vpn/non vpn. - - name: sctp_error + TCP connection end time. + - name: end_user_firewall_type type: keyword description: | - Error information, what caused sctp to fail on out_of_state. - - name: chunk_type + End user firewall type. + - name: esod_access_status type: keyword description: | - Chunck of the sctp stream. - - name: sctp_association_state + Access denied. + - name: esod_associated_policies type: keyword description: | - The bad state you were trying to update to. - - name: tcp_packet_out_of_state + Associated policies. + - name: esod_noncompliance_reason type: keyword description: | - State violation. - - name: tcp_flags + Non-compliance reason. + - name: esod_rule_action type: keyword description: | - TCP packet flags (SYN, ACK, etc.,). - - name: connectivity_level + Unknown rule action. + - name: esod_rule_name type: keyword description: | - Log for a new connection in wire mode. - - name: ip_option - type: integer + Unknown rule name. + - name: esod_rule_type + type: keyword description: | - IP option that was dropped. - - name: tcp_state + Unknown rule type. + - name: esod_scan_status type: keyword description: | - Log reinting a tcp state change. + Scan failed. + - name: event_count + type: long + description: | + Number of events associated with the log. - name: expire_time type: keyword description: | Connection closing time. - - name: icmp_type - type: long + - name: extension_version + type: keyword description: | - In case a connection is ICMP, type info will be added to the log. - - name: icmp_code - type: long + Build version of the SandBlast Agent browser extension. + - name: extracted_file_hash + type: keyword description: | - In case a connection is ICMP, code info will be added to the log. - - name: rpc_prog - type: integer + Archive hash in case of extracted files. + - name: extracted_file_names + type: keyword description: | - Log for new RPC state - prog values. - - name: dce-rpc_interface_uuid + Names of extracted files in case of an archive. + - name: extracted_file_type type: keyword description: | - Log for new RPC state - UUID values - - name: elapsed + Types of extracted files in case of an archive. + - name: extracted_file_uid type: keyword description: | - Time passed since start time. - - name: icmp + UID of extracted files in case of an archive. + - name: extracted_file_verdict type: keyword description: | - Number of packets, received by the client. - - name: capture_uuid + Verdict of extracted files in case of an archive. + - name: failure_impact type: keyword description: | - UUID generated for the capture. Used when enabling the capture when logging. - - name: diameter_app_ID - type: integer + The impact of update service failure. + - name: failure_reason + type: keyword description: | - The ID of diameter application. - - name: diameter_cmd_code - type: integer + MTA failure description. + - name: file_direction + type: keyword description: | - Diameter not allowed application command id. - - name: diameter_msg_type + File direction. Possible options: upload/download. + - name: file_name type: keyword description: | - Diameter message type. - - name: cp_message + Malicious file name. + - name: files_names + type: keyword + description: | + List of files requested by FTP. + - name: first_hit_time type: integer description: | - Used to log a general message. - - name: log_delay + First hit time in current interval. + - name: fs-proto + type: keyword + description: | + The file share protocol used in mobile acess file share application. + - name: ftp_user + type: keyword + description: | + FTP username. + - name: fw_message + type: keyword + description: | + Used for various firewall errors. + - name: fw_subproduct + type: keyword + description: | + Can be vpn/non vpn. + - name: hide_ip + type: ip + description: | + Source IP which will be used after CGNAT. + - name: hit type: integer description: | - Time left before deleting template. - - name: attack_status + Number of hits on a rule. + - name: host_time type: keyword description: | - In case of a malicious event on an endpoint computer, the status of the attack. - - name: impacted_files + Local time on the endpoint computer. + - name: http_host type: keyword description: | - In case of an infection on an endpoint computer, the list of files that the malware impacted. - - name: remediated_files + Domain name of the server that the HTTP request is sent to. + - name: http_location type: keyword description: | - In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. - - name: triggered_by + Response header, indicates the URL to redirect a page to. + - name: http_server type: keyword description: | - The name of the mechanism that triggered the Software Blade to enforce a protection. + Server HTTP header value, contains information about the software used by the origin server, which handles the request. + - name: https_inspection_action + type: keyword + description: | + HTTPS inspection action (Inspect/Bypass/Error). - name: https_inspection_rule_id type: keyword description: | @@ -724,294 +690,310 @@ type: keyword description: | Name of the matched rule. - - name: app_properties - type: keyword - description: | - List of all found categories. - name: https_validation type: keyword description: | Precise error, describing HTTPS inspection failure. - - name: https_inspection_action - type: keyword - description: | - HTTPS inspection action (Inspect/Bypass/Error). - - name: icap_service_id + - name: icap_more_info type: integer description: | - Service ID, can work with multiple servers, treated as services. + Free text for verdict. - name: icap_server_name type: keyword description: | Server name. - - name: internal_error + - name: icap_server_service type: keyword description: | - Internal error, for troubleshooting - - name: icap_more_info + Service name, as given in the ICAP URI + - name: icap_service_id type: integer description: | - Free text for verdict. - - name: reply_status + Service ID, can work with multiple servers, treated as services. + - name: icmp + type: keyword + description: | + Number of packets, received by the client. + - name: icmp_code + type: long + description: | + In case a connection is ICMP, code info will be added to the log. + - name: icmp_type + type: long + description: | + In case a connection is ICMP, type info will be added to the log. + - name: id type: integer description: | - ICAP reply status code, e.g. 200 or 204. - - name: icap_server_service + Override application ID. + - name: ike type: keyword description: | - Service name, as given in the ICAP URI - - name: mirror_and_decrypt_type + IKEMode (PHASE1, PHASE2, etc..). + - name: ike_ids type: keyword description: | - Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). - - name: interface_name + All QM ids. + - name: impacted_files type: keyword description: | - Designated interface for mirror And decrypt. - - name: session_uid + In case of an infection on an endpoint computer, the list of files that the malware impacted. + - name: incident_extension type: keyword description: | - HTTP session-id. - - name: broker_publisher - type: ip - description: | - IP address of the broker publisher who shared the session information. - - name: src_user_dn + Matched data type. + - name: indicator_description type: keyword description: | - User distinguished name connected to source IP. - - name: proxy_user_name + IOC indicator description. + - name: indicator_name type: keyword description: | - User name connected to proxy IP. - - name: proxy_machine_name - type: integer - description: | - Machine name connected to proxy IP. - - name: proxy_user_dn + IOC indicator name. + - name: indicator_reference type: keyword description: | - User distinguished name connected to proxy IP. - - name: query + IOC indicator reference. + - name: indicator_uuid type: keyword description: | - DNS query. - - name: dns_query + IOC indicator uuid. + - name: info type: keyword description: | - DNS query. - - name: inspection_item + Special log message. + - name: information type: keyword description: | - Blade element performed inspection. - - name: performance_impact - type: integer - description: | - Protection performance impact. + Policy installation status for a specific blade. - name: inspection_category type: keyword description: | Inspection category: protocol anomaly, signature etc. + - name: inspection_item + type: keyword + description: | + Blade element performed inspection. - name: inspection_profile type: keyword description: | Profile which the activated protection belongs to. - - name: summary + - name: inspection_settings_log type: keyword description: | - Summary message of a non-compliant DNS traffic drops or detects. - - name: question_rdata + Indicats that the log was released by inspection settings. + - name: installed_products type: keyword description: | - List of question records domains. - - name: answer_rdata - type: keyword + List of installed Endpoint Software Blades. + - name: int_end + type: integer description: | - List of answer resource records to the questioned domains. - - name: authority_rdata - type: keyword + Subscriber end int which will be used for NAT. + - name: int_start + type: integer description: | - List of authoritative servers. - - name: additional_rdata + Subscriber start int which will be used for NAT. + - name: interface_name type: keyword description: | - List of additional resource records. - - name: files_names + Designated interface for mirror And decrypt. + - name: internal_error type: keyword description: | - List of files requested by FTP. - - name: ftp_user - type: keyword + Internal error, for troubleshooting + - name: invalid_file_size + type: integer description: | - FTP username. - - name: mime_from - type: keyword + File_size field is valid only if this field is set to 0. + - name: ip_option + type: integer description: | - Sender's address. - - name: mime_to + IP option that was dropped. + - name: isp_link type: keyword description: | - List of receiver address. - - name: bcc - type: keyword + Name of ISP link. + - name: last_hit_time + type: integer description: | - List of BCC addresses. - - name: content_type + Last hit time in current interval. + - name: last_rematch_time type: keyword description: | - Mail content type. Possible values: application/msword, text/html, image/gif etc. - - name: user_agent + Connection rematched time. + - name: layer_name type: keyword description: | - String identifying requesting software user agent. - - name: referrer + Layer name. + - name: layer_uuid type: keyword description: | - Referrer HTTP request header, previous web page address. - - name: http_location - type: keyword + Layer UUID. + - name: limit_applied + type: integer description: | - Response header, indicates the URL to redirect a page to. - - name: content_disposition - type: keyword + Indicates whether the session was actually date limited. + - name: limit_requested + type: integer description: | - Indicates how the content is expected to be displayed inline in the browser. - - name: via + Indicates whether data limit was requested for the session. + - name: link_probing_status_update type: keyword description: | - Via header is added by proxies for tracking purposes to avoid sending reqests in loop. - - name: http_server - type: keyword + IP address response status. + - name: links_num + type: integer description: | - Server HTTP header value, contains information about the software used by the origin server, which handles the request. - - name: content_length - type: keyword + Number of links in the mail. + - name: log_delay + type: integer description: | - Indicates the size of the entity-body of the HTTP header. - - name: authorization + Time left before deleting template. + - name: log_id + type: integer + description: | + Unique identity for logs. + - name: logid type: keyword description: | - Authorization HTTP header value. - - name: http_host + System messages + - name: long_desc type: keyword description: | - Domain name of the server that the HTTP request is sent to. - - name: inspection_settings_log + More information on the process (usually describing error reason in failure). + - name: machine type: keyword description: | - Indicats that the log was released by inspection settings. - - name: cvpn_resource + L2TP machine which triggered the log and the log refers to it. + - name: malware_family type: keyword description: | - Mobile Access application. - - name: cvpn_category + Additional information on protection. + - name: match_fk + type: integer + description: | + Rule number. + - name: match_id + type: integer + description: | + Private key of the rule + - name: matched_file type: keyword description: | - Mobile Access application type. - - name: url + Unique ID of the matched data type. + - name: matched_file_percentage + type: integer + description: | + Fingerprint: match percentage of the traffic. + - name: matched_file_text_segments + type: integer + description: | + Fingerprint: number of text segments matched by this traffic. + - name: media_type type: keyword description: | - Translated URL. - - name: reject_id + Media used (audio, video, etc.) + - name: message type: keyword description: | - A reject ID that corresponds to the one presented in the Mobile Access error page. - - name: fs-proto + ISP link has failed. + - name: message_info type: keyword description: | - The file share protocol used in mobile acess file share application. - - name: app_package + Used for information messages, for example:NAT connection has ended. + - name: message_size + type: integer + description: | + Mail/post size. + - name: method type: keyword description: | - Unique identifier of the application on the protected mobile device. - - name: appi_name + HTTP method. + - name: methods type: keyword description: | - Name of application downloaded on the protected mobile device. - - name: app_repackaged + IPSEc methods. + - name: mime_from type: keyword description: | - Indicates whether the original application was repackage not by the official developer. - - name: app_sid_id + Sender's address. + - name: mime_to type: keyword description: | - Unique SHA identifier of a mobile application. - - name: app_version + List of receiver address. + - name: mirror_and_decrypt_type type: keyword description: | - Version of the application downloaded on the protected mobile device. - - name: developer_certificate_name + Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). + - name: mitre_collection type: keyword description: | - Name of the developer's certificate that was used to sign the mobile application. - - name: email_control + The adversary is trying to collect data of interest to achieve his goal. + - name: mitre_command_and_control type: keyword description: | - Engine name. - - name: email_message_id + The adversary is trying to communicate with compromised systems in order to control them. + - name: mitre_credential_access type: keyword description: | - Email session id (uniqe ID of the mail). - - name: email_queue_id + The adversary is trying to steal account names and passwords. + - name: mitre_defense_evasion type: keyword description: | - Postfix email queue id. - - name: email_queue_name + The adversary is trying to avoid being detected. + - name: mitre_discovery type: keyword description: | - Postfix email queue name. - - name: file_name + The adversary is trying to expose information about your environment. + - name: mitre_execution type: keyword description: | - Malicious file name. - - name: failure_reason + The adversary is trying to run malicious code. + - name: mitre_exfiltration type: keyword description: | - MTA failure description. - - name: email_headers + The adversary is trying to steal data. + - name: mitre_impact type: keyword description: | - String containing all the email headers. - - name: arrival_time + The adversary is trying to manipulate, interrupt, or destroy your systems and data. + - name: mitre_initial_access type: keyword description: | - Email arrival timestamp. - - name: email_status + The adversary is trying to break into your network. + - name: mitre_lateral_movement type: keyword description: | - Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended - - name: status_update + The adversary is trying to explore your environment. + - name: mitre_persistence type: keyword description: | - Last time log was updated. - - name: delivery_time + The adversary is trying to maintain his foothold. + - name: mitre_privilege_escalation type: keyword description: | - Timestamp of when email was delivered (MTA finished handling the email. - - name: links_num - type: integer - description: | - Number of links in the mail. - - name: attachments_num - type: integer + The adversary is trying to gain higher-level permissions. + - name: monitor_reason + type: keyword description: | - Number of attachments in the mail. - - name: email_content + Aggregated logs of monitored packets. + - name: msgid type: keyword description: | - Mail contents. Possible options: attachments/links & attachments/links/text only. - - name: allocated_ports - type: integer + Message ID. + - name: name + type: keyword description: | - Amount of allocated ports. - - name: capacity - type: integer + Application name. + - name: nat46 + type: keyword description: | - Capacity of the ports. - - name: ports_usage + NAT 46 status, in most cases "enabled". + - name: nat_addtnl_rulenum type: integer description: | - Percentage of allocated ports. + When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. - name: nat_exhausted_pool type: keyword description: | @@ -1020,607 +1002,625 @@ type: integer description: | NAT rulebase first matched rule. - - name: nat_addtnl_rulenum + - name: needs_browse_time type: integer description: | - When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. - - name: message_info - type: keyword - description: | - Used for information messages, for example:NAT connection has ended. - - name: nat46 - type: keyword - description: | - NAT 46 status, in most cases "enabled". - - name: end_time - type: keyword - description: | - TCP connection end time. - - name: tcp_end_reason + Browse time required for the connection. + - name: next_hop_ip type: keyword description: | - Reason for TCP connection closure. - - name: cgnet + Next hop IP address. + - name: next_scheduled_scan_date type: keyword description: | - Describes NAT allocation for specific subscriber. - - name: subscriber - type: ip - description: | - Source IP before CGNAT. - - name: hide_ip - type: ip - description: | - Source IP which will be used after CGNAT. - - name: int_start - type: integer - description: | - Subscriber start int which will be used for NAT. - - name: int_end - type: integer - description: | - Subscriber end int which will be used for NAT. - - name: packet_amount + Next scan scheduled time according to time object. + - name: number_of_errors type: integer description: | - Amount of packets dropped. - - name: monitor_reason + Number of files that were not scanned due to an error. + - name: objecttable type: keyword description: | - Aggregated logs of monitored packets. - - name: drops_amount - type: integer - description: | - Amount of multicast packets dropped. - - name: securexl_message + Table of affected objects. + - name: objecttype type: keyword description: | - Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. - - name: conns_amount - type: integer - description: | - Connections amount of aggregated log info. - - name: scope + The type of the affected object. + - name: observable_comment type: keyword description: | - IP related to the attack. - - name: analyzed_on + IOC observable signature description. + - name: observable_id type: keyword description: | - Check Point ThreatCloud / emulator name. - - name: detected_on + IOC observable signature id. + - name: observable_name type: keyword description: | - System and applications version the file was emulated on. - - name: dropped_file_name + IOC observable signature name. + - name: operation type: keyword description: | - List of names dropped from the original file. - - name: dropped_file_type + Operation made by Threat Extraction. + - name: operation_number type: keyword description: | - List of file types dropped from the original file. - - name: dropped_file_hash + The operation nuber. + - name: origin_sic_name type: keyword description: | - List of file hashes dropped from the original file. - - name: dropped_file_verdict + Machine SIC. + - name: original_queue_id type: keyword description: | - List of file verdics dropped from the original file. - - name: emulated_on + Original postfix email queue id. + - name: outgoing_url type: keyword description: | - Images the files were emulated on. - - name: extracted_file_type - type: keyword + URL related to this log (for HTTP). + - name: packet_amount + type: integer description: | - Types of extracted files in case of an archive. - - name: extracted_file_names + Amount of packets dropped. + - name: packet_capture_unique_id type: keyword description: | - Names of extracted files in case of an archive. - - name: extracted_file_hash + Identifier of the packet capture files. + - name: parent_file_hash type: keyword description: | - Archive hash in case of extracted files. - - name: extracted_file_verdict + Archive's hash in case of extracted files. + - name: parent_file_name type: keyword description: | - Verdict of extracted files in case of an archive. - - name: extracted_file_uid + Archive's name in case of extracted files. + - name: parent_file_uid type: keyword description: | - UID of extracted files in case of an archive. - - name: mitre_initial_access + Archive's UID in case of extracted files. + - name: parent_process_username type: keyword description: | - The adversary is trying to break into your network. - - name: mitre_execution - type: keyword + Owner username of the parent process of the process that triggered the attack. + - name: parent_rule + type: integer description: | - The adversary is trying to run malicious code. - - name: mitre_persistence - type: keyword + Parent rule number, in case of inline layer. + - name: peer_gateway + type: ip description: | - The adversary is trying to maintain his foothold. - - name: mitre_privilege_escalation + Main IP of the peer Security Gateway. + - name: peer_ip type: keyword description: | - The adversary is trying to gain higher-level permissions. - - name: mitre_defense_evasion + IP address which the client connects to. + - name: peer_ip_probing_status_update type: keyword description: | - The adversary is trying to avoid being detected. - - name: mitre_credential_access - type: keyword + IP address response status. + - name: performance_impact + type: integer description: | - The adversary is trying to steal account names and passwords. - - name: mitre_discovery + Protection performance impact. + - name: policy_mgmt type: keyword description: | - The adversary is trying to expose information about your environment. - - name: mitre_lateral_movement + Name of the Management Server that manages this Security Gateway. + - name: policy_name type: keyword description: | - The adversary is trying to explore your environment. - - name: mitre_collection - type: keyword + Name of the last policy that this Security Gateway fetched. + - name: ports_usage + type: integer description: | - The adversary is trying to collect data of interest to achieve his goal. - - name: mitre_command_and_control + Percentage of allocated ports. + - name: ppp type: keyword description: | - The adversary is trying to communicate with compromised systems in order to control them. - - name: mitre_exfiltration + Authentication status. + - name: precise_error type: keyword description: | - The adversary is trying to steal data. - - name: mitre_impact + HTTP parser error. + - name: process_username type: keyword description: | - The adversary is trying to manipulate, interrupt, or destroy your systems and data. - - name: parent_file_hash + Owner username of the process that triggered the attack. + - name: properties type: keyword description: | - Archive's hash in case of extracted files. - - name: parent_file_name + Application categories. + - name: protection_id type: keyword description: | - Archive's name in case of extracted files. - - name: parent_file_uid + Protection malware id. + - name: protection_name type: keyword description: | - Archive's UID in case of extracted files. - - name: similiar_iocs + Specific signature name of the attack. + - name: protection_type type: keyword description: | - Other IoCs similar to the ones found, related to the malicious file. - - name: similar_hashes + Type of protection used to detect the attack. + - name: protocol type: keyword description: | - Hashes found similar to the malicious file. - - name: similar_strings - type: keyword + Protocol detected on the connection. + - name: proxy_machine_name + type: integer description: | - Strings found similar to the malicious file. - - name: similar_communication - type: keyword + Machine name connected to proxy IP. + - name: proxy_src_ip + type: ip description: | - Network action found similar to the malicious file. - - name: te_verdict_determined_by + Sender source IP (even when using proxy). + - name: proxy_user_dn type: keyword description: | - Emulators determined file verdict. - - name: packet_capture_unique_id + User distinguished name connected to proxy IP. + - name: proxy_user_name type: keyword description: | - Identifier of the packet capture files. - - name: total_attachments - type: integer + User name connected to proxy IP. + - name: query + type: keyword description: | - The number of attachments in an email. - - name: additional_info + DNS query. + - name: question_rdata type: keyword description: | - ID of original file/mail which are sent by admin. - - name: content_risk - type: integer + List of question records domains. + - name: referrer + type: keyword description: | - File risk. - - name: operation + Referrer HTTP request header, previous web page address. + - name: referrer_parent_uid type: keyword description: | - Operation made by Threat Extraction. - - name: scrubbed_content + Log UUID of the referring application. + - name: referrer_self_uid type: keyword description: | - Active content that was found. - - name: scrub_time + UUID of the current log. + - name: registered_ip-phones type: keyword description: | - Extraction process duration. - - name: scrub_download_time + Registered IP-Phones. + - name: reject_category type: keyword description: | - File download time from resource. - - name: scrub_total_time + Authentication failure reason. + - name: reject_id type: keyword description: | - Threat extraction total file handling time. - - name: scrub_activity + A reject ID that corresponds to the one presented in the Mobile Access error page. + - name: rematch_info type: keyword description: | - The result of the extraction - - name: watermark + Information sent when old connections cannot be matched during policy installation. + - name: remediated_files type: keyword description: | - Reports whether watermark is added to the cleaned file. - - name: source_object + In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. + - name: reply_status type: integer description: | - Matched object name on source column. - - name: destination_object + ICAP reply status code, e.g. 200 or 204. + - name: risk type: keyword description: | - Matched object name on destination column. - - name: drop_reason - type: keyword + Risk level we got from the engine. + - name: rpc_prog + type: integer description: | - Drop reason description. - - name: hit + Log for new RPC state - prog values. + - name: rule type: integer description: | - Number of hits on a rule. + Matched rule number. + - name: rule_action + type: keyword + description: | + Action of the matched rule in the access policy. - name: rulebase_id type: integer description: | Layer number. - - name: first_hit_time + - name: scan_direction + type: keyword + description: | + Scan direction. + - name: scan_hosts_day type: integer description: | - First hit time in current interval. - - name: last_hit_time + Number of unique hosts during the last day. + - name: scan_hosts_hour type: integer description: | - Last hit time in current interval. - - name: rematch_info - type: keyword + Number of unique hosts during the last hour. + - name: scan_hosts_week + type: integer description: | - Information sent when old connections cannot be matched during policy installation. - - name: last_rematch_time + Number of unique hosts during the last week. + - name: scan_id type: keyword description: | - Connection rematched time. - - name: action_reason + Sequential number of scan. + - name: scan_mail type: integer description: | - Connection drop reason. - - name: action_reason_msg + Number of emails that were scanned by "AB malicious activity" engine. + - name: scan_results type: keyword - overwrite: true - description: > - Connection drop reason message. - - - name: c_bytes - type: integer description: | - Boolean value indicates whether bytes sent from the client side are used. - - name: context_num - type: integer + "Infected"/description of a failure. + - name: scheme + type: keyword description: | - Serial number of the log for a specific connection. - - name: match_id - type: integer + Describes the scheme used for the log. + - name: scope + type: keyword description: | - Private key of the rule - - name: alert + IP related to the attack. + - name: scrub_activity type: keyword description: | - Alert level of matched rule (for connection logs). - - name: parent_rule - type: integer + The result of the extraction + - name: scrub_download_time + type: keyword description: | - Parent rule number, in case of inline layer. - - name: match_fk - type: integer + File download time from resource. + - name: scrub_time + type: keyword description: | - Rule number. - - name: dropped_outgoing - type: integer + Extraction process duration. + - name: scrub_total_time + type: keyword description: | - Number of outgoing bytes dropped when using UP-limit feature. - - name: dropped_incoming - type: integer + Threat extraction total file handling time. + - name: scrubbed_content + type: keyword description: | - Number of incoming bytes dropped when using UP-limit feature. - - name: media_type + Active content that was found. + - name: sctp_association_state type: keyword description: | - Media used (audio, video, etc.) - - name: sip_reason + The bad state you were trying to update to. + - name: sctp_error type: keyword description: | - Explains why 'source_ip' isn't allowed to redirect (handover). - - name: voip_method + Error information, what caused sctp to fail on out_of_state. + - name: scv_message_info type: keyword description: | - Registration request. - - name: registered_ip-phones + Drop reason. + - name: scv_user type: keyword description: | - Registered IP-Phones. - - name: voip_reg_user_type + Username whose packets are dropped on SCV. + - name: securexl_message type: keyword description: | - Registered IP-Phone type. - - name: voip_call_id + Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. + - name: session_id type: keyword description: | - Call-ID. - - name: voip_reg_int - type: integer + Log uuid. + - name: session_uid + type: keyword description: | - Registration port. - - name: voip_reg_ipp - type: integer + HTTP session-id. + - name: short_desc + type: keyword description: | - Registration IP protocol. - - name: voip_reg_period - type: integer + Short description of the process that was executed. + - name: sig_id + type: keyword description: | - Registration period. - - name: voip_log_type + Application's signature ID which how it was detected by. + - name: similar_communication type: keyword description: | - VoIP log types. Possible values: reject, call, registration. - - name: src_phone_number + Network action found similar to the malicious file. + - name: similar_hashes type: keyword description: | - Source IP-Phone. - - name: voip_from_user_type + Hashes found similar to the malicious file. + - name: similar_strings type: keyword description: | - Source IP-Phone type. - - name: dst_phone_number + Strings found similar to the malicious file. + - name: similiar_iocs type: keyword description: | - Destination IP-Phone. - - name: voip_to_user_type + Other IoCs similar to the ones found, related to the malicious file. + - name: sip_reason type: keyword description: | - Destination IP-Phone type. - - name: voip_call_dir + Explains why 'source_ip' isn't allowed to redirect (handover). + - name: site_name type: keyword description: | - Call direction: in/out. - - name: voip_call_state + Site name. + - name: source_interface type: keyword description: | - Call state. Possible values: in/out. - - name: voip_call_term_time + External Interface name for source interface or Null if not found. + - name: source_object type: keyword description: | - Call termination time stamp. - - name: voip_duration + Matched object name on source column. + - name: source_os type: keyword description: | - Call duration (seconds). - - name: voip_media_port + OS which generated the attack. + - name: special_properties + type: integer + description: | + If this field is set to '1' the log will not be shown (in use for monitoring scan progress). + - name: specific_data_type_name type: keyword description: | - Media int. - - name: voip_media_ipp + Compound/Group scenario, data type that was matched. + - name: speed + type: integer + description: | + Current scan speed. + - name: spyware_name type: keyword description: | - Media IP protocol. - - name: voip_est_codec + Spyware name. + - name: spyware_type type: keyword description: | - Estimated codec. - - name: voip_exp - type: integer + Spyware type. + - name: src_country + type: keyword + description: | + Country name, derived from connection source IP address. + - name: src_phone_number + type: keyword + description: | + Source IP-Phone. + - name: src_user_dn + type: keyword description: | - Expiration. - - name: voip_attach_sz - type: integer + User distinguished name connected to source IP. + - name: src_user_name + type: keyword description: | - Attachment size. - - name: voip_attach_action_info + User name connected to source IP + - name: srckeyid type: keyword description: | - Attachment action Info. - - name: voip_media_codec + Initiator Spi ID. + - name: status type: keyword description: | - Estimated codec. - - name: voip_reject_reason + Ok/Warning/Error. + - name: status_update type: keyword description: | - Reject reason. - - name: voip_reason_info + Last time log was updated. + - name: sub_policy_name type: keyword description: | - Information. - - name: voip_config + Layer name. + - name: sub_policy_uid type: keyword description: | - Configuration. - - name: voip_reg_server + Layer uid. + - name: subscriber type: ip description: | - Registrar server IP address. - - name: scv_user + Source IP before CGNAT. + - name: summary type: keyword description: | - Username whose packets are dropped on SCV. - - name: scv_message_info - type: keyword + Summary message of a non-compliant DNS traffic drops or detects. + - name: suppressed_logs + type: integer description: | - Drop reason. - - name: ppp + Aggregated connections for five minutes on the same source, destination and port. + - name: sync type: keyword description: | - Authentication status. - - name: scheme + Sync status and the reason (stable, at risk). + - name: sys_message type: keyword description: | - Describes the scheme used for the log. - - name: auth_method + System messages + - name: tcp_end_reason type: keyword description: | - Password authentication protocol used (PAP or EAP). - - name: machine + Reason for TCP connection closure. + - name: tcp_flags type: keyword description: | - L2TP machine which triggered the log and the log refers to it. - - name: vpn_feature_name + TCP packet flags (SYN, ACK, etc.,). + - name: tcp_packet_out_of_state type: keyword description: | - L2TP /IKE / Link Selection. - - name: reject_category + State violation. + - name: tcp_state type: keyword description: | - Authentication failure reason. - - name: peer_ip_probing_status_update + Log reinting a tcp state change. + - name: te_verdict_determined_by type: keyword description: | - IP address response status. - - name: peer_ip + Emulators determined file verdict. + - name: ticket_id type: keyword description: | - IP address which the client connects to. - - name: peer_gateway - type: ip - description: | - Main IP of the peer Security Gateway. - - name: link_probing_status_update + Unique ID per file. + - name: tls_server_host_name type: keyword description: | - IP address response status. - - name: source_interface + SNI/CN from encrypted TLS connection used by URLF for categorization. + - name: top_archive_file_name type: keyword description: | - External Interface name for source interface or Null if not found. - - name: next_hop_ip - type: keyword + In case of archive file: the file that was sent/received. + - name: total_attachments + type: integer description: | - Next hop IP address. - - name: srckeyid + The number of attachments in an email. + - name: triggered_by type: keyword description: | - Initiator Spi ID. - - name: dstkeyid + The name of the mechanism that triggered the Software Blade to enforce a protection. + - name: trusted_domain type: keyword + description: In case of phishing event, the domain, which the attacker was impersonating. + - name: unique_detected_day + type: integer description: | - Responder Spi ID. - - name: encryption_failure - type: keyword + Detected virus for a specific host during the last day. + - name: unique_detected_hour + type: integer description: | - Message indicating why the encryption failed. - - name: ike_ids + Detected virus for a specific host during the last hour. + - name: unique_detected_week + type: integer + description: | + Detected virus for a specific host during the last week. + - name: update_status + type: keyword + description: Status of database update + - name: url type: keyword description: | - All QM ids. - - name: community + Translated URL. + - name: user type: keyword description: | - Community name for the IPSec key and the use of the IKEv. - - name: ike + Source user name. + - name: user_agent type: keyword description: | - IKEMode (PHASE1, PHASE2, etc..). - - name: cookieI + String identifying requesting software user agent. + - name: vendor_list type: keyword description: | - Initiator cookie. - - name: cookieR + The vendor name that provided the verdict for a malicious URL. + - name: verdict type: keyword description: | - Responder cookie. - - name: msgid + TE engine verdict Possible values: Malicious/Benign/Error. + - name: via type: keyword description: | - Message ID. - - name: methods + Via header is added by proxies for tracking purposes to avoid sending reqests in loop. + - name: voip_attach_action_info type: keyword description: | - IPSEc methods. - - name: connection_uid + Attachment action Info. + - name: voip_attach_sz + type: integer + description: | + Attachment size. + - name: voip_call_dir type: keyword description: | - Calculation of md5 of the IP and user name as UID. - - name: site_name + Call direction: in/out. + - name: voip_call_id type: keyword description: | - Site name. - - name: esod_rule_name + Call-ID. + - name: voip_call_state type: keyword description: | - Unknown rule name. - - name: esod_rule_action + Call state. Possible values: in/out. + - name: voip_call_term_time type: keyword description: | - Unknown rule action. - - name: esod_rule_type + Call termination time stamp. + - name: voip_config type: keyword description: | - Unknown rule type. - - name: esod_noncompliance_reason + Configuration. + - name: voip_duration type: keyword description: | - Non-compliance reason. - - name: esod_associated_policies + Call duration (seconds). + - name: voip_est_codec type: keyword description: | - Associated policies. - - name: spyware_name + Estimated codec. + - name: voip_exp + type: integer + description: | + Expiration. + - name: voip_from_user_type type: keyword description: | - Spyware name. - - name: spyware_type + Source IP-Phone type. + - name: voip_log_type type: keyword description: | - Spyware type. - - name: anti_virus_type + VoIP log types. Possible values: reject, call, registration. + - name: voip_media_codec type: keyword description: | - Anti virus type. - - name: end_user_firewall_type + Estimated codec. + - name: voip_media_ipp type: keyword description: | - End user firewall type. - - name: esod_scan_status + Media IP protocol. + - name: voip_media_port type: keyword description: | - Scan failed. - - name: esod_access_status + Media int. + - name: voip_method type: keyword description: | - Access denied. - - name: client_type + Registration request. + - name: voip_reason_info type: keyword description: | - Endpoint Connect. - - name: precise_error + Information. + - name: voip_reg_int + type: integer + description: | + Registration port. + - name: voip_reg_ipp + type: integer + description: | + Registration IP protocol. + - name: voip_reg_period + type: integer + description: | + Registration period. + - name: voip_reg_server + type: ip + description: | + Registrar server IP address. + - name: voip_reg_user_type type: keyword description: | - HTTP parser error. - - name: method + Registered IP-Phone type. + - name: voip_reject_reason type: keyword description: | - HTTP method. - - name: trusted_domain + Reject reason. + - name: voip_to_user_type type: keyword - description: In case of phishing event, the domain, which the attacker was impersonating. - - name: comment + description: | + Destination IP-Phone type. + - name: vpn_feature_name type: keyword - - name: conn_direction + description: | + L2TP /IKE / Link Selection. + - name: watermark type: keyword - description: Connection direction - - name: db_ver + description: | + Reports whether watermark is added to the cleaned file. + - name: web_server_type type: keyword - description: Database version - - name: update_status + description: | + Web server detected in the HTTP response. + - name: word_list type: keyword - description: Status of database update + description: | + Words matched by data type. diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index e198ca4bd9d..61c4d21a656 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -426,7 +426,7 @@ An example event for `firewall` looks as following: | checkpoint.sip_reason | Explains why 'source_ip' isn't allowed to redirect (handover). | keyword | | checkpoint.site_name | Site name. | keyword | | checkpoint.source_interface | External Interface name for source interface or Null if not found. | keyword | -| checkpoint.source_object | Matched object name on source column. | integer | +| checkpoint.source_object | Matched object name on source column. | keyword | | checkpoint.source_os | OS which generated the attack. | keyword | | checkpoint.special_properties | If this field is set to '1' the log will not be shown (in use for monitoring scan progress). | integer | | checkpoint.specific_data_type_name | Compound/Group scenario, data type that was matched. | keyword | @@ -551,6 +551,7 @@ An example event for `firewall` looks as following: | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | @@ -587,7 +588,7 @@ An example event for `firewall` looks as following: | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address of logs received over the network. | keyword | diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index d43200c0e7e..287c3bfdbb1 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: 1.3.3 +version: 1.3.4 release: ga description: Collect logs from Check Point with Elastic Agent. type: integration