Start free trial Contact Sales

Checkpoint fields

Some checkpoint module

checkpoint

Module for parsing Checkpoint syslog.

checkpoint.confidence_level: Confidence level determined by ThreatCloud.

type: integer

checkpoint.calc_desc: Log description.

type: keyword

checkpoint.dst_country: Destination country.

type: keyword

checkpoint.dst_user_name: Connected user name on the destination IP.

type: keyword

checkpoint.email_id: Email number in smtp connection.

type: keyword

checkpoint.email_subject: Original email subject.

type: keyword

checkpoint.email_session_id: Connection uuid.

type: keyword

checkpoint.event_count: Number of events associated with the log.

type: long

checkpoint.sys_message: System messages

type: keyword

checkpoint.logid: System messages

type: keyword

checkpoint.failure_impact: The impact of update service failure.

type: keyword

checkpoint.id: Override application ID.

type: integer

checkpoint.identity_src: The source for authentication identity information.

type: keyword

checkpoint.information: Policy installation status for a specific blade.

type: keyword

checkpoint.layer_name: Layer name.

type: keyword

checkpoint.layer_uuid: Layer UUID.

type: keyword

checkpoint.log_id: Unique identity for logs.

type: integer

checkpoint.malware_family: Additional information on protection.

type: keyword

checkpoint.origin_sic_name: Machine SIC.

type: keyword

checkpoint.policy_mgmt: Name of the Management Server that manages this Security Gateway.

type: keyword

checkpoint.policy_name: Name of the last policy that this Security Gateway fetched.

type: keyword

checkpoint.protection_id: Protection malware id.

type: keyword

checkpoint.protection_name: Specific signature name of the attack.

type: keyword

checkpoint.protection_type: Type of protection used to detect the attack.

type: keyword

checkpoint.protocol: Protocol detected on the connection.

type: keyword

checkpoint.proxy_src_ip: Sender source IP (even when using proxy).

type: ip

checkpoint.rule: Matched rule number.

type: integer

checkpoint.rule_action: Action of the matched rule in the access policy.

type: keyword

checkpoint.scan_direction: Scan direction.

type: keyword

checkpoint.session_id: Log uuid.

type: keyword

checkpoint.source_os: OS which generated the attack.

type: keyword

checkpoint.src_country: Country name, derived from connection source IP address.

type: keyword

checkpoint.src_user_name: User name connected to source IP

type: keyword

checkpoint.ticket_id: Unique ID per file.

type: keyword

checkpoint.tls_server_host_name: SNI/CN from encrypted TLS connection used by URLF for categorization.

type: keyword

checkpoint.verdict: TE engine verdict Possible values: Malicious/Benign/Error.

type: keyword

checkpoint.user: Source user name.

type: keyword

checkpoint.vendor_list: The vendor name that provided the verdict for a malicious URL.

type: keyword

checkpoint.web_server_type: Web server detected in the HTTP response.

type: keyword

checkpoint.client_name: Client Application or Software Blade that detected the event.

type: keyword

checkpoint.client_version: Build version of SandBlast Agent client installed on the computer.

type: keyword

checkpoint.extension_version: Build version of the SandBlast Agent browser extension.

type: keyword

checkpoint.host_time: Local time on the endpoint computer.

type: keyword

checkpoint.installed_products: List of installed Endpoint Software Blades.

type: keyword

checkpoint.cc: The Carbon Copy address of the email.

type: keyword

checkpoint.parent_process_username: Owner username of the parent process of the process that triggered the attack.

type: keyword

checkpoint.process_username: Owner username of the process that triggered the attack.

type: keyword

checkpoint.audit_status: Audit Status. Can be Success or Failure.

type: keyword

checkpoint.objecttable: Table of affected objects.

type: keyword

checkpoint.objecttype: The type of the affected object.

type: keyword

checkpoint.operation_number: The operation nuber.

type: keyword

checkpoint.email_recipients_num: Amount of recipients whom the mail was sent to.

type: integer

checkpoint.suppressed_logs: Aggregated connections for five minutes on the same source, destination and port.

type: integer

checkpoint.blade_name: Blade name.

type: keyword

checkpoint.status: Ok/Warning/Error.

type: keyword

checkpoint.short_desc: Short description of the process that was executed.

type: keyword

checkpoint.long_desc: More information on the process (usually describing error reason in failure).

type: keyword

checkpoint.scan_hosts_hour: Number of unique hosts during the last hour.

type: integer

checkpoint.scan_hosts_day: Number of unique hosts during the last day.

type: integer

checkpoint.scan_hosts_week: Number of unique hosts during the last week.

type: integer

checkpoint.unique_detected_hour: Detected virus for a specific host during the last hour.

type: integer

checkpoint.unique_detected_day: Detected virus for a specific host during the last day.

type: integer

checkpoint.unique_detected_week: Detected virus for a specific host during the last week.

type: integer

checkpoint.scan_mail: Number of emails that were scanned by "AB malicious activity" engine.

type: integer

checkpoint.additional_ip: DNS host name.

type: keyword

checkpoint.description: Additional explanation how the security gateway enforced the connection.

type: keyword

checkpoint.email_spam_category: Email categories. Possible values: spam/not spam/phishing.

type: keyword

checkpoint.email_control_analysis: Message classification, received from spam vendor engine.

type: keyword

checkpoint.scan_results: "Infected"/description of a failure.

type: keyword

checkpoint.original_queue_id: Original postfix email queue id.

type: keyword

checkpoint.risk: Risk level we got from the engine.

type: keyword

checkpoint.roles: The role of identity.

type: keyword

checkpoint.observable_name: IOC observable signature name.

type: keyword

checkpoint.observable_id: IOC observable signature id.

type: keyword

checkpoint.observable_comment: IOC observable signature description.

type: keyword

checkpoint.indicator_name: IOC indicator name.

type: keyword

checkpoint.indicator_description: IOC indicator description.

type: keyword

checkpoint.indicator_reference: IOC indicator reference.

type: keyword

checkpoint.indicator_uuid: IOC indicator uuid.

type: keyword

checkpoint.app_desc: Application description.

type: keyword

checkpoint.app_id: Application ID.

type: integer

checkpoint.app_sig_id: IOC indicator description.

type: keyword

checkpoint.certificate_resource: HTTPS resource Possible values: SNI or domain name (DN).

type: keyword

checkpoint.certificate_validation: Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.

type: keyword

checkpoint.browse_time: Application session browse time.

type: keyword

checkpoint.limit_requested: Indicates whether data limit was requested for the session.

type: integer

checkpoint.limit_applied: Indicates whether the session was actually date limited.

type: integer

checkpoint.dropped_total: Amount of dropped packets (both incoming and outgoing).

type: integer

checkpoint.client_type_os: Client OS detected in the HTTP request.

type: keyword

checkpoint.name: Application name.

type: keyword

checkpoint.properties: Application categories.

type: keyword

checkpoint.sig_id: Application’s signature ID which how it was detected by.

type: keyword

checkpoint.desc: Override application description.

type: keyword

checkpoint.referrer_self_uid: UUID of the current log.

type: keyword

checkpoint.referrer_parent_uid: Log UUID of the referring application.

type: keyword

checkpoint.needs_browse_time: Browse time required for the connection.

type: integer

checkpoint.cluster_info: Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.

type: keyword

checkpoint.sync: Sync status and the reason (stable, at risk).

type: keyword

checkpoint.file_direction: File direction. Possible options: upload/download.

type: keyword

checkpoint.invalid_file_size: File_size field is valid only if this field is set to 0.

type: integer

checkpoint.top_archive_file_name: In case of archive file: the file that was sent/received.

type: keyword

checkpoint.data_type_name: Data type in rulebase that was matched.

type: keyword

checkpoint.specific_data_type_name: Compound/Group scenario, data type that was matched.

type: keyword

checkpoint.word_list: Words matched by data type.

type: keyword

checkpoint.info: Special log message.

type: keyword

checkpoint.outgoing_url: URL related to this log (for HTTP).

type: keyword

checkpoint.dlp_rule_name: Matched rule name.

type: keyword

checkpoint.dlp_recipients: Mail recipients.

type: keyword

checkpoint.dlp_subject: Mail subject.

type: keyword

checkpoint.dlp_word_list: Phrases matched by data type.

type: keyword

checkpoint.dlp_template_score: Template data type match score.

type: keyword

checkpoint.message_size: Mail/post size.

type: integer

checkpoint.dlp_incident_uid: Unique ID of the matched rule.

type: keyword

checkpoint.dlp_related_incident_uid: Other ID related to this one.

type: keyword

checkpoint.dlp_data_type_name: Matched data type.

type: keyword

checkpoint.dlp_data_type_uid: Unique ID of the matched data type.

type: keyword

checkpoint.dlp_violation_description: Violation descriptions described in the rulebase.

type: keyword

checkpoint.dlp_relevant_data_types: In case of Compound/Group: the inner data types that were matched.

type: keyword

checkpoint.dlp_action_reason: Action chosen reason.

type: keyword

checkpoint.dlp_categories: Data type category.

type: keyword

checkpoint.dlp_transint: HTTP/SMTP/FTP.

type: keyword

checkpoint.duplicate: Log marked as duplicated, when mail is split and the Security Gateway sees it twice.

type: keyword

checkpoint.incident_extension: Matched data type.

type: keyword

checkpoint.matched_file: Unique ID of the matched data type.

type: keyword

checkpoint.matched_file_text_segments: Fingerprint: number of text segments matched by this traffic.

type: integer

checkpoint.matched_file_percentage: Fingerprint: match percentage of the traffic.

type: integer

checkpoint.dlp_additional_action: Watermark/None.

type: keyword

checkpoint.dlp_watermark_profile: Watermark which was applied.

type: keyword

checkpoint.dlp_repository_id: ID of scanned repository.

type: keyword

checkpoint.dlp_repository_root_path: Repository path.

type: keyword

checkpoint.scan_id: Sequential number of scan.

type: keyword

checkpoint.special_properties: If this field is set to 1 the log will not be shown (in use for monitoring scan progress).

type: integer

checkpoint.dlp_repository_total_size: Repository size.

type: integer

checkpoint.dlp_repository_files_number: Number of files in repository.

type: integer

checkpoint.dlp_repository_scanned_files_number: Number of scanned files in repository.

type: integer

checkpoint.duration: Scan duration.

type: keyword

checkpoint.dlp_fingerprint_long_status: Scan status - long format.

type: keyword

checkpoint.dlp_fingerprint_short_status: Scan status - short format.

type: keyword

checkpoint.dlp_repository_directories_number: Number of directories in repository.

type: integer

checkpoint.dlp_repository_unreachable_directories_number: Number of directories the Security Gateway was unable to read.

type: integer

checkpoint.dlp_fingerprint_files_number: Number of successfully scanned files in repository.

type: integer

checkpoint.dlp_repository_skipped_files_number: Skipped number of files because of configuration.

type: integer

checkpoint.dlp_repository_scanned_directories_number: Amount of directories scanned.

type: integer

checkpoint.number_of_errors: Number of files that were not scanned due to an error.

type: integer

checkpoint.next_scheduled_scan_date: Next scan scheduled time according to time object.

type: keyword

checkpoint.dlp_repository_scanned_total_size: Size scanned.

type: integer

checkpoint.dlp_repository_reached_directories_number: Number of scanned directories in repository.

type: integer

checkpoint.dlp_repository_not_scanned_directories_percentage: Percentage of directories the Security Gateway was unable to read.

type: integer

checkpoint.speed: Current scan speed.

type: integer

checkpoint.dlp_repository_scan_progress: Scan percentage.

type: integer

checkpoint.sub_policy_name: Layer name.

type: keyword

checkpoint.sub_policy_uid: Layer uid.

type: keyword

checkpoint.fw_message: Used for various firewall errors.

type: keyword

checkpoint.message: ISP link has failed.

type: keyword

checkpoint.isp_link: Name of ISP link.

type: keyword

checkpoint.fw_subproduct: Can be vpn/non vpn.

type: keyword

checkpoint.sctp_error: Error information, what caused sctp to fail on out_of_state.

type: keyword

checkpoint.chunk_type: Chunck of the sctp stream.

type: keyword

checkpoint.sctp_association_state: The bad state you were trying to update to.

type: keyword

checkpoint.tcp_packet_out_of_state: State violation.

type: keyword

checkpoint.tcp_flags: TCP packet flags (SYN, ACK, etc.,).

type: keyword

checkpoint.connectivity_level: Log for a new connection in wire mode.

type: keyword

checkpoint.ip_option: IP option that was dropped.

type: integer

checkpoint.tcp_state: Log reinting a tcp state change.

type: keyword

checkpoint.expire_time: Connection closing time.

type: keyword

checkpoint.icmp_type: In case a connection is ICMP, type info will be added to the log.

type: integer

checkpoint.icmp_code: In case a connection is ICMP, code info will be added to the log.

type: integer

checkpoint.rpc_prog: Log for new RPC state - prog values.

type: integer

checkpoint.dce-rpc_interface_uuid: Log for new RPC state - UUID values

type: keyword

checkpoint.elapsed: Time passed since start time.

type: keyword

checkpoint.icmp: Number of packets, received by the client.

type: keyword

checkpoint.capture_uuid: UUID generated for the capture. Used when enabling the capture when logging.

type: keyword

checkpoint.diameter_app_ID: The ID of diameter application.

type: integer

checkpoint.diameter_cmd_code: Diameter not allowed application command id.

type: integer

checkpoint.diameter_msg_type: Diameter message type.

type: keyword

checkpoint.cp_message: Used to log a general message.

type: integer

checkpoint.log_delay: Time left before deleting template.

type: integer

checkpoint.attack_status: In case of a malicious event on an endpoint computer, the status of the attack.

type: keyword

checkpoint.impacted_files: In case of an infection on an endpoint computer, the list of files that the malware impacted.

type: keyword

checkpoint.remediated_files: In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.

type: keyword

checkpoint.triggered_by: The name of the mechanism that triggered the Software Blade to enforce a protection.

type: keyword

checkpoint.https_inspection_rule_id: ID of the matched rule.

type: keyword

checkpoint.https_inspection_rule_name: Name of the matched rule.

type: keyword

checkpoint.app_properties: List of all found categories.

type: keyword

checkpoint.https_validation: Precise error, describing HTTPS inspection failure.

type: keyword

checkpoint.https_inspection_action: HTTPS inspection action (Inspect/Bypass/Error).

type: keyword

checkpoint.icap_service_id: Service ID, can work with multiple servers, treated as services.

type: integer

checkpoint.icap_server_name: Server name.

type: keyword

checkpoint.internal_error: Internal error, for troubleshooting

type: keyword

checkpoint.icap_more_info: Free text for verdict.

type: integer

checkpoint.reply_status: ICAP reply status code, e.g. 200 or 204.

type: integer

checkpoint.icap_server_service: Service name, as given in the ICAP URI

type: keyword

checkpoint.mirror_and_decrypt_type: Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).

type: keyword

checkpoint.interface_name: Designated interface for mirror And decrypt.

type: keyword

checkpoint.session_uid: HTTP session-id.

type: keyword

checkpoint.broker_publisher: IP address of the broker publisher who shared the session information.

type: ip

checkpoint.src_user_dn: User distinguished name connected to source IP.

type: keyword

checkpoint.proxy_user_name: User name connected to proxy IP.

type: keyword

checkpoint.proxy_machine_name: Machine name connected to proxy IP.

type: integer

checkpoint.proxy_user_dn: User distinguished name connected to proxy IP.

type: keyword

checkpoint.query: DNS query.

type: keyword

checkpoint.dns_query: DNS query.

type: keyword

checkpoint.inspection_item: Blade element performed inspection.

type: keyword

checkpoint.performance_impact: Protection performance impact.

type: integer

checkpoint.inspection_category: Inspection category: protocol anomaly, signature etc.

type: keyword

checkpoint.inspection_profile: Profile which the activated protection belongs to.

type: keyword

checkpoint.summary: Summary message of a non-compliant DNS traffic drops or detects.

type: keyword

checkpoint.question_rdata: List of question records domains.

type: keyword

checkpoint.answer_rdata: List of answer resource records to the questioned domains.

type: keyword

checkpoint.authority_rdata: List of authoritative servers.

type: keyword

checkpoint.additional_rdata: List of additional resource records.

type: keyword

checkpoint.files_names: List of files requested by FTP.

type: keyword

checkpoint.ftp_user: FTP username.

type: keyword

checkpoint.mime_from: Sender’s address.

type: keyword

checkpoint.mime_to: List of receiver address.

type: keyword

checkpoint.bcc: List of BCC addresses.

type: keyword

checkpoint.content_type: Mail content type. Possible values: application/msword, text/html, image/gif etc.

type: keyword

checkpoint.user_agent: String identifying requesting software user agent.

type: keyword

checkpoint.referrer: Referrer HTTP request header, previous web page address.

type: keyword

checkpoint.http_location: Response header, indicates the URL to redirect a page to.

type: keyword

checkpoint.content_disposition: Indicates how the content is expected to be displayed inline in the browser.

type: keyword

checkpoint.via: Via header is added by proxies for tracking purposes to avoid sending reqests in loop.

type: keyword

checkpoint.http_server: Server HTTP header value, contains information about the software used by the origin server, which handles the request.

type: keyword

checkpoint.content_length: Indicates the size of the entity-body of the HTTP header.

type: keyword

checkpoint.authorization: Authorization HTTP header value.

type: keyword

checkpoint.http_host: Domain name of the server that the HTTP request is sent to.

type: keyword

checkpoint.inspection_settings_log: Indicats that the log was released by inspection settings.

type: keyword

checkpoint.cvpn_resource: Mobile Access application.

type: keyword

checkpoint.cvpn_category: Mobile Access application type.

type: keyword

checkpoint.url: Translated URL.

type: keyword

checkpoint.reject_id: A reject ID that corresponds to the one presented in the Mobile Access error page.

type: keyword

checkpoint.fs-proto: The file share protocol used in mobile acess file share application.

type: keyword

checkpoint.app_package: Unique identifier of the application on the protected mobile device.

type: keyword

checkpoint.appi_name: Name of application downloaded on the protected mobile device.

type: keyword

checkpoint.app_repackaged: Indicates whether the original application was repackage not by the official developer.

type: keyword

checkpoint.app_sid_id: Unique SHA identifier of a mobile application.

type: keyword

checkpoint.app_version: Version of the application downloaded on the protected mobile device.

type: keyword

checkpoint.developer_certificate_name: Name of the developer’s certificate that was used to sign the mobile application.

type: keyword

checkpoint.email_control: Engine name.

type: keyword

checkpoint.email_message_id: Email session id (uniqe ID of the mail).

type: keyword

checkpoint.email_queue_id: Postfix email queue id.

type: keyword

checkpoint.email_queue_name: Postfix email queue name.

type: keyword

checkpoint.file_name: Malicious file name.

type: keyword

checkpoint.failure_reason: MTA failure description.

type: keyword

checkpoint.email_headers: String containing all the email headers.

type: keyword

checkpoint.arrival_time: Email arrival timestamp.

type: keyword

checkpoint.email_status: Describes the email’s state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended

type: keyword

checkpoint.status_update: Last time log was updated.

type: keyword

checkpoint.delivery_time: Timestamp of when email was delivered (MTA finished handling the email.

type: keyword

checkpoint.links_num: Number of links in the mail.

type: integer

checkpoint.attachments_num: Number of attachments in the mail.

type: integer

checkpoint.email_content: Mail contents. Possible options: attachments/links & attachments/links/text only.

type: keyword

checkpoint.allocated_ports: Amount of allocated ports.

type: integer

checkpoint.capacity: Capacity of the ports.

type: integer

checkpoint.ports_usage: Percentage of allocated ports.

type: integer

checkpoint.nat_exhausted_pool: 4-tuple of an exhausted pool.

type: keyword

checkpoint.nat_rulenum: NAT rulebase first matched rule.

type: integer

checkpoint.nat_addtnl_rulenum: When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.

type: integer

checkpoint.message_info: Used for information messages, for example:NAT connection has ended.

type: keyword

checkpoint.nat46: NAT 46 status, in most cases "enabled".

type: keyword

checkpoint.end_time: TCP connection end time.

type: keyword

checkpoint.tcp_end_reason: Reason for TCP connection closure.

type: keyword

checkpoint.cgnet: Describes NAT allocation for specific subscriber.

type: keyword

checkpoint.subscriber: Source IP before CGNAT.

type: ip

checkpoint.hide_ip: Source IP which will be used after CGNAT.

type: ip

checkpoint.int_start: Subscriber start int which will be used for NAT.

type: integer

checkpoint.int_end: Subscriber end int which will be used for NAT.

type: integer

checkpoint.packet_amount: Amount of packets dropped.

type: integer

checkpoint.monitor_reason: Aggregated logs of monitored packets.

type: keyword

checkpoint.drops_amount: Amount of multicast packets dropped.

type: integer

checkpoint.securexl_message: Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.

type: keyword

checkpoint.conns_amount: Connections amount of aggregated log info.

type: integer

checkpoint.scope: IP related to the attack.

type: keyword

checkpoint.analyzed_on: Check Point ThreatCloud / emulator name.

type: keyword

checkpoint.detected_on: System and applications version the file was emulated on.

type: keyword

checkpoint.dropped_file_name: List of names dropped from the original file.

type: keyword

checkpoint.dropped_file_type: List of file types dropped from the original file.

type: keyword

checkpoint.dropped_file_hash: List of file hashes dropped from the original file.

type: keyword

checkpoint.dropped_file_verdict: List of file verdics dropped from the original file.

type: keyword

checkpoint.emulated_on: Images the files were emulated on.

type: keyword

checkpoint.extracted_file_type: Types of extracted files in case of an archive.

type: keyword

checkpoint.extracted_file_names: Names of extracted files in case of an archive.

type: keyword

checkpoint.extracted_file_hash: Archive hash in case of extracted files.

type: keyword

checkpoint.extracted_file_verdict: Verdict of extracted files in case of an archive.

type: keyword

checkpoint.extracted_file_uid: UID of extracted files in case of an archive.

type: keyword

checkpoint.mitre_initial_access: The adversary is trying to break into your network.

type: keyword

checkpoint.mitre_execution: The adversary is trying to run malicious code.

type: keyword

checkpoint.mitre_persistence: The adversary is trying to maintain his foothold.

type: keyword

checkpoint.mitre_privilege_escalation: The adversary is trying to gain higher-level permissions.

type: keyword

checkpoint.mitre_defense_evasion: The adversary is trying to avoid being detected.

type: keyword

checkpoint.mitre_credential_access: The adversary is trying to steal account names and passwords.

type: keyword

checkpoint.mitre_discovery: The adversary is trying to expose information about your environment.

type: keyword

checkpoint.mitre_lateral_movement: The adversary is trying to explore your environment.

type: keyword

checkpoint.mitre_collection: The adversary is trying to collect data of interest to achieve his goal.

type: keyword

checkpoint.mitre_command_and_control: The adversary is trying to communicate with compromised systems in order to control them.

type: keyword

checkpoint.mitre_exfiltration: The adversary is trying to steal data.

type: keyword

checkpoint.mitre_impact: The adversary is trying to manipulate, interrupt, or destroy your systems and data.

type: keyword

checkpoint.parent_file_hash: Archive’s hash in case of extracted files.

type: keyword

checkpoint.parent_file_name: Archive’s name in case of extracted files.

type: keyword

checkpoint.parent_file_uid: Archive’s UID in case of extracted files.

type: keyword

checkpoint.similiar_iocs: Other IoCs similar to the ones found, related to the malicious file.

type: keyword

checkpoint.similar_hashes: Hashes found similar to the malicious file.

type: keyword

checkpoint.similar_strings: Strings found similar to the malicious file.

type: keyword

checkpoint.similar_communication: Network action found similar to the malicious file.

type: keyword

checkpoint.te_verdict_determined_by: Emulators determined file verdict.

type: keyword

checkpoint.packet_capture_unique_id: Identifier of the packet capture files.

type: keyword

checkpoint.total_attachments: The number of attachments in an email.

type: integer

checkpoint.additional_info: ID of original file/mail which are sent by admin.

type: keyword

checkpoint.content_risk: File risk.

type: integer

checkpoint.operation: Operation made by Threat Extraction.

type: keyword

checkpoint.scrubbed_content: Active content that was found.

type: keyword

checkpoint.scrub_time: Extraction process duration.

type: keyword

checkpoint.scrub_download_time: File download time from resource.

type: keyword

checkpoint.scrub_total_time: Threat extraction total file handling time.

type: keyword

checkpoint.scrub_activity: The result of the extraction

type: keyword

checkpoint.watermark: Reports whether watermark is added to the cleaned file.

type: keyword

checkpoint.snid: The Check Point session ID.

type: keyword

checkpoint.source_object: Matched object name on source column.

type: keyword

checkpoint.destination_object: Matched object name on destination column.

type: keyword

checkpoint.drop_reason: Drop reason description.

type: keyword

checkpoint.hit: Number of hits on a rule.

type: integer

checkpoint.rulebase_id: Layer number.

type: integer

checkpoint.first_hit_time: First hit time in current interval.

type: integer

checkpoint.last_hit_time: Last hit time in current interval.

type: integer

checkpoint.rematch_info: Information sent when old connections cannot be matched during policy installation.

type: keyword

checkpoint.last_rematch_time: Connection rematched time.

type: keyword

checkpoint.action_reason: Connection drop reason.

type: integer

checkpoint.action_reason_msg: Connection drop reason message.

type: keyword

checkpoint.c_bytes: Boolean value indicates whether bytes sent from the client side are used.

type: integer

checkpoint.context_num: Serial number of the log for a specific connection.

type: integer

checkpoint.match_id: Private key of the rule

type: integer

checkpoint.alert: Alert level of matched rule (for connection logs).

type: keyword

checkpoint.parent_rule: Parent rule number, in case of inline layer.

type: integer

checkpoint.match_fk: Rule number.

type: integer

checkpoint.dropped_outgoing: Number of outgoing bytes dropped when using UP-limit feature.

type: integer

checkpoint.dropped_incoming: Number of incoming bytes dropped when using UP-limit feature.

type: integer

checkpoint.media_type: Media used (audio, video, etc.)

type: keyword

checkpoint.sip_reason: Explains why source_ip isn’t allowed to redirect (handover).

type: keyword

checkpoint.voip_method: Registration request.

type: keyword

checkpoint.registered_ip-phones: Registered IP-Phones.

type: keyword

checkpoint.voip_reg_user_type: Registered IP-Phone type.

type: keyword

checkpoint.voip_call_id: Call-ID.

type: keyword

checkpoint.voip_reg_int: Registration port.

type: integer

checkpoint.voip_reg_ipp: Registration IP protocol.

type: integer

checkpoint.voip_reg_period: Registration period.

type: integer

checkpoint.voip_log_type: VoIP log types. Possible values: reject, call, registration.

type: keyword

checkpoint.src_phone_number: Source IP-Phone.

type: keyword

checkpoint.voip_from_user_type: Source IP-Phone type.

type: keyword

checkpoint.dst_phone_number: Destination IP-Phone.

type: keyword

checkpoint.voip_to_user_type: Destination IP-Phone type.

type: keyword

checkpoint.voip_call_dir: Call direction: in/out.

type: keyword

checkpoint.voip_call_state: Call state. Possible values: in/out.

type: keyword

checkpoint.voip_call_term_time: Call termination time stamp.

type: keyword

checkpoint.voip_duration: Call duration (seconds).

type: keyword

checkpoint.voip_media_port: Media int.

type: keyword

checkpoint.voip_media_ipp: Media IP protocol.

type: keyword

checkpoint.voip_est_codec: Estimated codec.

type: keyword

checkpoint.voip_exp: Expiration.

type: integer

checkpoint.voip_attach_sz: Attachment size.

type: integer

checkpoint.voip_attach_action_info: Attachment action Info.

type: keyword

checkpoint.voip_media_codec: Estimated codec.

type: keyword

checkpoint.voip_reject_reason: Reject reason.

type: keyword

checkpoint.voip_reason_info: Information.

type: keyword

checkpoint.voip_config: Configuration.

type: keyword

checkpoint.voip_reg_server: Registrar server IP address.

type: ip

checkpoint.scv_user: Username whose packets are dropped on SCV.

type: keyword

checkpoint.scv_message_info: Drop reason.

type: keyword

checkpoint.ppp: Authentication status.

type: keyword

checkpoint.scheme: Describes the scheme used for the log.

type: keyword

checkpoint.auth_method: Password authentication protocol used (PAP or EAP).

type: keyword

checkpoint.auth_status: The authentication status for an event.

type: keyword

checkpoint.machine: L2TP machine which triggered the log and the log refers to it.

type: keyword

checkpoint.vpn_feature_name: L2TP /IKE / Link Selection.

type: keyword

checkpoint.reject_category: Authentication failure reason.

type: keyword

checkpoint.peer_ip_probing_status_update: IP address response status.

type: keyword

checkpoint.peer_ip: IP address which the client connects to.

type: keyword

checkpoint.peer_gateway: Main IP of the peer Security Gateway.

type: ip

checkpoint.link_probing_status_update: IP address response status.

type: keyword

checkpoint.source_interface: External Interface name for source interface or Null if not found.

type: keyword

checkpoint.next_hop_ip: Next hop IP address.

type: keyword

checkpoint.srckeyid: Initiator Spi ID.

type: keyword

checkpoint.dstkeyid: Responder Spi ID.

type: keyword

checkpoint.encryption_failure: Message indicating why the encryption failed.

type: keyword

checkpoint.ike_ids: All QM ids.

type: keyword

checkpoint.community: Community name for the IPSec key and the use of the IKEv.

type: keyword

checkpoint.ike: IKEMode (PHASE1, PHASE2, etc..).

type: keyword

checkpoint.cookieI: Initiator cookie.

type: keyword

checkpoint.cookieR: Responder cookie.

type: keyword

checkpoint.msgid: Message ID.

type: keyword

checkpoint.methods: IPSEc methods.

type: keyword

checkpoint.connection_uid: Calculation of md5 of the IP and user name as UID.

type: keyword

checkpoint.site_name: Site name.

type: keyword

checkpoint.esod_rule_name: Unknown rule name.

type: keyword

checkpoint.esod_rule_action: Unknown rule action.

type: keyword

checkpoint.esod_rule_type: Unknown rule type.

type: keyword

checkpoint.esod_noncompliance_reason: Non-compliance reason.

type: keyword

checkpoint.esod_associated_policies: Associated policies.

type: keyword

checkpoint.spyware_name: Spyware name.

type: keyword

checkpoint.spyware_type: Spyware type.

type: keyword

checkpoint.anti_virus_type: Anti virus type.

type: keyword

checkpoint.end_user_firewall_type: End user firewall type.

type: keyword

checkpoint.esod_scan_status: Scan failed.

type: keyword

checkpoint.esod_access_status: Access denied.

type: keyword

checkpoint.client_type: Endpoint Connect.

type: keyword

checkpoint.precise_error: HTTP parser error.

type: keyword

checkpoint.method: HTTP method.

type: keyword

checkpoint.trusted_domain: In case of phishing event, the domain, which the attacker was impersonating.

type: keyword

checkpoint.comment: type: keyword
checkpoint.conn_direction: Connection direction

type: keyword

checkpoint.db_ver: Database version

type: keyword

checkpoint.update_status: Status of database update

type: keyword