--- title: Check Point fields description: Some checkpoint module Module for parsing Checkpoint syslog. url: https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/filebeat/exported-fields-checkpoint products: - Beats - Filebeat applies_to: - Elastic Cloud Serverless: Generally available - Elastic Stack: Generally available --- # Check Point fields Some checkpoint module ## checkpoint Module for parsing Checkpoint syslog. Confidence level determined by ThreatCloud. type: integer Log description. type: keyword Destination country. type: keyword Connected user name on the destination IP. type: keyword Email number in smtp connection. type: keyword Original email subject. type: keyword Connection uuid. type: keyword Number of events associated with the log. type: long System messages type: keyword System messages type: keyword The impact of update service failure. type: keyword Override application ID. type: integer The source for authentication identity information. type: keyword Policy installation status for a specific blade. type: keyword Layer name. type: keyword Layer UUID. type: keyword Unique identity for logs. type: integer Additional information on protection. type: keyword Machine SIC. type: keyword Name of the Management Server that manages this Security Gateway. type: keyword Name of the last policy that this Security Gateway fetched. type: keyword Protection malware id. type: keyword Specific signature name of the attack. type: keyword Type of protection used to detect the attack. type: keyword Protocol detected on the connection. type: keyword Sender source IP (even when using proxy). type: ip Matched rule number. type: integer Action of the matched rule in the access policy. type: keyword Scan direction. type: keyword Log uuid. type: keyword OS which generated the attack. type: keyword Country name, derived from connection source IP address. type: keyword User name connected to source IP type: keyword Unique ID per file. type: keyword SNI/CN from encrypted TLS connection used by URLF for categorization. type: keyword TE engine verdict Possible values: Malicious/Benign/Error. type: keyword Source user name. type: keyword The vendor name that provided the verdict for a malicious URL. type: keyword Web server detected in the HTTP response. type: keyword Client Application or Software Blade that detected the event. type: keyword Build version of SandBlast Agent client installed on the computer. type: keyword Build version of the SandBlast Agent browser extension. type: keyword Local time on the endpoint computer. type: keyword List of installed Endpoint Software Blades. type: keyword The Carbon Copy address of the email. type: keyword Owner username of the parent process of the process that triggered the attack. type: keyword Owner username of the process that triggered the attack. type: keyword Audit Status. Can be Success or Failure. type: keyword Table of affected objects. type: keyword The type of the affected object. type: keyword The operation nuber. type: keyword Amount of recipients whom the mail was sent to. type: integer Aggregated connections for five minutes on the same source, destination and port. type: integer Blade name. type: keyword Ok/Warning/Error. type: keyword Short description of the process that was executed. type: keyword More information on the process (usually describing error reason in failure). type: keyword Number of unique hosts during the last hour. type: integer Number of unique hosts during the last day. type: integer Number of unique hosts during the last week. type: integer Detected virus for a specific host during the last hour. type: integer Detected virus for a specific host during the last day. type: integer Detected virus for a specific host during the last week. type: integer Number of emails that were scanned by "AB malicious activity" engine. type: integer DNS host name. type: keyword Additional explanation how the security gateway enforced the connection. type: keyword Email categories. Possible values: spam/not spam/phishing. type: keyword Message classification, received from spam vendor engine. type: keyword "Infected"/description of a failure. type: keyword Original postfix email queue id. type: keyword Risk level we got from the engine. type: keyword The role of identity. type: keyword IOC observable signature name. type: keyword IOC observable signature id. type: keyword IOC observable signature description. type: keyword IOC indicator name. type: keyword IOC indicator description. type: keyword IOC indicator reference. type: keyword IOC indicator uuid. type: keyword Application description. type: keyword Application ID. type: integer IOC indicator description. type: keyword HTTPS resource Possible values: SNI or domain name (DN). type: keyword Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. type: keyword Application session browse time. type: keyword Indicates whether data limit was requested for the session. type: integer Indicates whether the session was actually date limited. type: integer Amount of dropped packets (both incoming and outgoing). type: integer Client OS detected in the HTTP request. type: keyword Application name. type: keyword Application categories. type: keyword Application's signature ID which how it was detected by. type: keyword Override application description. type: keyword UUID of the current log. type: keyword Log UUID of the referring application. type: keyword Browse time required for the connection. type: integer Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. type: keyword Sync status and the reason (stable, at risk). type: keyword File direction. Possible options: upload/download. type: keyword File_size field is valid only if this field is set to 0. type: integer In case of archive file: the file that was sent/received. type: keyword Data type in rulebase that was matched. type: keyword Compound/Group scenario, data type that was matched. type: keyword Words matched by data type. type: keyword Special log message. type: keyword URL related to this log (for HTTP). type: keyword Matched rule name. type: keyword Mail recipients. type: keyword Mail subject. type: keyword Phrases matched by data type. type: keyword Template data type match score. type: keyword Mail/post size. type: integer Unique ID of the matched rule. type: keyword Other ID related to this one. type: keyword Matched data type. type: keyword Unique ID of the matched data type. type: keyword Violation descriptions described in the rulebase. type: keyword In case of Compound/Group: the inner data types that were matched. type: keyword Action chosen reason. type: keyword Data type category. type: keyword HTTP/SMTP/FTP. type: keyword Log marked as duplicated, when mail is split and the Security Gateway sees it twice. type: keyword Matched data type. type: keyword Unique ID of the matched data type. type: keyword Fingerprint: number of text segments matched by this traffic. type: integer Fingerprint: match percentage of the traffic. type: integer Watermark/None. type: keyword Watermark which was applied. type: keyword ID of scanned repository. type: keyword Repository path. type: keyword Sequential number of scan. type: keyword If this field is set to '1' the log will not be shown (in use for monitoring scan progress). type: integer Repository size. type: integer Number of files in repository. type: integer Number of scanned files in repository. type: integer Scan duration. type: keyword Scan status - long format. type: keyword Scan status - short format. type: keyword Number of directories in repository. type: integer Number of directories the Security Gateway was unable to read. type: integer Number of successfully scanned files in repository. type: integer Skipped number of files because of configuration. type: integer Amount of directories scanned. type: integer Number of files that were not scanned due to an error. type: integer Next scan scheduled time according to time object. type: keyword Size scanned. type: integer Number of scanned directories in repository. type: integer Percentage of directories the Security Gateway was unable to read. type: integer Current scan speed. type: integer Scan percentage. type: integer Layer name. type: keyword Layer uid. type: keyword Used for various firewall errors. type: keyword ISP link has failed. type: keyword Name of ISP link. type: keyword Can be vpn/non vpn. type: keyword Error information, what caused sctp to fail on out_of_state. type: keyword Chunck of the sctp stream. type: keyword The bad state you were trying to update to. type: keyword State violation. type: keyword TCP packet flags (SYN, ACK, etc.,). type: keyword Log for a new connection in wire mode. type: keyword IP option that was dropped. type: integer Log reinting a tcp state change. type: keyword Connection closing time. type: keyword In case a connection is ICMP, type info will be added to the log. type: integer In case a connection is ICMP, code info will be added to the log. type: integer Log for new RPC state - prog values. type: integer Log for new RPC state - UUID values type: keyword Time passed since start time. type: keyword Number of packets, received by the client. type: keyword UUID generated for the capture. Used when enabling the capture when logging. type: keyword The ID of diameter application. type: integer Diameter not allowed application command id. type: integer Diameter message type. type: keyword Used to log a general message. type: integer Time left before deleting template. type: integer In case of a malicious event on an endpoint computer, the status of the attack. type: keyword In case of an infection on an endpoint computer, the list of files that the malware impacted. type: keyword In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. type: keyword The name of the mechanism that triggered the Software Blade to enforce a protection. type: keyword ID of the matched rule. type: keyword Name of the matched rule. type: keyword List of all found categories. type: keyword Precise error, describing HTTPS inspection failure. type: keyword HTTPS inspection action (Inspect/Bypass/Error). type: keyword Service ID, can work with multiple servers, treated as services. type: integer Server name. type: keyword Internal error, for troubleshooting type: keyword Free text for verdict. type: integer ICAP reply status code, e.g. 200 or 204. type: integer Service name, as given in the ICAP URI type: keyword Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). type: keyword Designated interface for mirror And decrypt. type: keyword HTTP session-id. type: keyword IP address of the broker publisher who shared the session information. type: ip User distinguished name connected to source IP. type: keyword User name connected to proxy IP. type: keyword Machine name connected to proxy IP. type: integer User distinguished name connected to proxy IP. type: keyword DNS query. type: keyword DNS query. type: keyword Blade element performed inspection. type: keyword Protection performance impact. type: integer Inspection category: protocol anomaly, signature etc. type: keyword Profile which the activated protection belongs to. type: keyword Summary message of a non-compliant DNS traffic drops or detects. type: keyword List of question records domains. type: keyword List of answer resource records to the questioned domains. type: keyword List of authoritative servers. type: keyword List of additional resource records. type: keyword List of files requested by FTP. type: keyword FTP username. type: keyword Sender's address. type: keyword List of receiver address. type: keyword List of BCC addresses. type: keyword Mail content type. Possible values: application/msword, text/html, image/gif etc. type: keyword String identifying requesting software user agent. type: keyword Referrer HTTP request header, previous web page address. type: keyword Response header, indicates the URL to redirect a page to. type: keyword Indicates how the content is expected to be displayed inline in the browser. type: keyword Via header is added by proxies for tracking purposes to avoid sending reqests in loop. type: keyword Server HTTP header value, contains information about the software used by the origin server, which handles the request. type: keyword Indicates the size of the entity-body of the HTTP header. type: keyword Authorization HTTP header value. type: keyword Domain name of the server that the HTTP request is sent to. type: keyword Indicats that the log was released by inspection settings. type: keyword Mobile Access application. type: keyword Mobile Access application type. type: keyword Translated URL. type: keyword A reject ID that corresponds to the one presented in the Mobile Access error page. type: keyword The file share protocol used in mobile acess file share application. type: keyword Unique identifier of the application on the protected mobile device. type: keyword Name of application downloaded on the protected mobile device. type: keyword Indicates whether the original application was repackage not by the official developer. type: keyword Unique SHA identifier of a mobile application. type: keyword Version of the application downloaded on the protected mobile device. type: keyword Name of the developer's certificate that was used to sign the mobile application. type: keyword Engine name. type: keyword Email session id (uniqe ID of the mail). type: keyword Postfix email queue id. type: keyword Postfix email queue name. type: keyword Malicious file name. type: keyword MTA failure description. type: keyword String containing all the email headers. type: keyword Email arrival timestamp. type: keyword Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended type: keyword Last time log was updated. type: keyword Timestamp of when email was delivered (MTA finished handling the email. type: keyword Number of links in the mail. type: integer Number of attachments in the mail. type: integer Mail contents. Possible options: attachments/links & attachments/links/text only. type: keyword Amount of allocated ports. type: integer Capacity of the ports. type: integer Percentage of allocated ports. type: integer 4-tuple of an exhausted pool. type: keyword NAT rulebase first matched rule. type: integer When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. type: integer Used for information messages, for example:NAT connection has ended. type: keyword NAT 46 status, in most cases "enabled". type: keyword TCP connection end time. type: keyword Reason for TCP connection closure. type: keyword Describes NAT allocation for specific subscriber. type: keyword Source IP before CGNAT. type: ip Source IP which will be used after CGNAT. type: ip Subscriber start int which will be used for NAT. type: integer Subscriber end int which will be used for NAT. type: integer Amount of packets dropped. type: integer Aggregated logs of monitored packets. type: keyword Amount of multicast packets dropped. type: integer Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. type: keyword Connections amount of aggregated log info. type: integer IP related to the attack. type: keyword Check Point ThreatCloud / emulator name. type: keyword System and applications version the file was emulated on. type: keyword List of names dropped from the original file. type: keyword List of file types dropped from the original file. type: keyword List of file hashes dropped from the original file. type: keyword List of file verdics dropped from the original file. type: keyword Images the files were emulated on. type: keyword Types of extracted files in case of an archive. type: keyword Names of extracted files in case of an archive. type: keyword Archive hash in case of extracted files. type: keyword Verdict of extracted files in case of an archive. type: keyword UID of extracted files in case of an archive. type: keyword The adversary is trying to break into your network. type: keyword The adversary is trying to run malicious code. type: keyword The adversary is trying to maintain his foothold. type: keyword The adversary is trying to gain higher-level permissions. type: keyword The adversary is trying to avoid being detected. type: keyword The adversary is trying to steal account names and passwords. type: keyword The adversary is trying to expose information about your environment. type: keyword The adversary is trying to explore your environment. type: keyword The adversary is trying to collect data of interest to achieve his goal. type: keyword The adversary is trying to communicate with compromised systems in order to control them. type: keyword The adversary is trying to steal data. type: keyword The adversary is trying to manipulate, interrupt, or destroy your systems and data. type: keyword Archive's hash in case of extracted files. type: keyword Archive's name in case of extracted files. type: keyword Archive's UID in case of extracted files. type: keyword Other IoCs similar to the ones found, related to the malicious file. type: keyword Hashes found similar to the malicious file. type: keyword Strings found similar to the malicious file. type: keyword Network action found similar to the malicious file. type: keyword Emulators determined file verdict. type: keyword Identifier of the packet capture files. type: keyword The number of attachments in an email. type: integer ID of original file/mail which are sent by admin. type: keyword File risk. type: integer Operation made by Threat Extraction. type: keyword Active content that was found. type: keyword Extraction process duration. type: keyword File download time from resource. type: keyword Threat extraction total file handling time. type: keyword The result of the extraction type: keyword Reports whether watermark is added to the cleaned file. type: keyword The Check Point session ID. type: keyword Matched object name on source column. type: keyword Matched object name on destination column. type: keyword Drop reason description. type: keyword Number of hits on a rule. type: integer Layer number. type: integer First hit time in current interval. type: integer Last hit time in current interval. type: integer Information sent when old connections cannot be matched during policy installation. type: keyword Connection rematched time. type: keyword Connection drop reason. type: integer Connection drop reason message. type: keyword Boolean value indicates whether bytes sent from the client side are used. type: integer Serial number of the log for a specific connection. type: integer Private key of the rule type: integer Alert level of matched rule (for connection logs). type: keyword Parent rule number, in case of inline layer. type: integer Rule number. type: integer Number of outgoing bytes dropped when using UP-limit feature. type: integer Number of incoming bytes dropped when using UP-limit feature. type: integer Media used (audio, video, etc.) type: keyword Explains why 'source_ip' isn't allowed to redirect (handover). type: keyword Registration request. type: keyword Registered IP-Phones. type: keyword Registered IP-Phone type. type: keyword Call-ID. type: keyword Registration port. type: integer Registration IP protocol. type: integer Registration period. type: integer VoIP log types. Possible values: reject, call, registration. type: keyword Source IP-Phone. type: keyword Source IP-Phone type. type: keyword Destination IP-Phone. type: keyword Destination IP-Phone type. type: keyword Call direction: in/out. type: keyword Call state. Possible values: in/out. type: keyword Call termination time stamp. type: keyword Call duration (seconds). type: keyword Media int. type: keyword Media IP protocol. type: keyword Estimated codec. type: keyword Expiration. type: integer Attachment size. type: integer Attachment action Info. type: keyword Estimated codec. type: keyword Reject reason. type: keyword Information. type: keyword Configuration. type: keyword Registrar server IP address. type: ip Username whose packets are dropped on SCV. type: keyword Drop reason. type: keyword Authentication status. type: keyword Describes the scheme used for the log. type: keyword Password authentication protocol used (PAP or EAP). type: keyword The authentication status for an event. type: keyword L2TP machine which triggered the log and the log refers to it. type: keyword L2TP /IKE / Link Selection. type: keyword Authentication failure reason. type: keyword IP address response status. type: keyword IP address which the client connects to. type: keyword Main IP of the peer Security Gateway. type: ip IP address response status. type: keyword External Interface name for source interface or Null if not found. type: keyword Next hop IP address. type: keyword Initiator Spi ID. type: keyword Responder Spi ID. type: keyword Message indicating why the encryption failed. type: keyword All QM ids. type: keyword Community name for the IPSec key and the use of the IKEv. type: keyword IKEMode (PHASE1, PHASE2, etc..). type: keyword Initiator cookie. type: keyword Responder cookie. type: keyword Message ID. type: keyword IPSEc methods. type: keyword Calculation of md5 of the IP and user name as UID. type: keyword Site name. type: keyword Unknown rule name. type: keyword Unknown rule action. type: keyword Unknown rule type. type: keyword Non-compliance reason. type: keyword Associated policies. type: keyword Spyware name. type: keyword Spyware type. type: keyword Anti virus type. type: keyword End user firewall type. type: keyword Scan failed. type: keyword Access denied. type: keyword Endpoint Connect. type: keyword HTTP parser error. type: keyword HTTP method. type: keyword In case of phishing event, the domain, which the attacker was impersonating. type: keyword type: keyword Connection direction type: keyword Database version type: keyword Status of database update type: keyword