Link Search Menu Expand Document

CheckpointSB_Trojan

ID: 100009

Description:

SandBlast Trojan Alert

Repository: Group: ThreatAnalysis Type: event

Default Status:

Disabled

Tags:  
CheckPoint SandBlast
   

Selector:

Query:

Filters:

Field MUST hit
@checkpoint_sb.infection_category Trojan
@event_type @checkpoint_sb
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@checkpoint_sb.suser username security alert

Risks:

Risks Base Score Dimension
ALERT_HIGH_CONFIDENCE 2000 alert
ALERT_END_POINT 800 alert

Attributes:

Alias Key
Username @checkpoint_sb.suser
Description @checkpoint_sb.CEF_Name
IP @checkpoint_sb.src
Customer @customer
Hostname @checkpoint_sb.shost
OS @checkpoint_sb.os_name
Confidence @checkpoint_sb.flexNumber1
Severity @checkpoint_sb.cp_severity
FilePath @checkpoint_sb.fname
FileHash @checkpoint_sb.fileHash

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @checkpoint_sb.suser
  Risks: ML_NEW_USER
NewAlert 10 days @checkpoint_sb.CEF_Name
  Risks: ML_NEW_ALERT

History:

User Date
em*n@fluencysecurity.com 2021 Feb 24 18:57:51 EST
je*y@fortify24x7.com 2021 Mar 8 12:05:49 EST

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)