Link Search Menu Expand Document

CheckpointSB_Trojan

ID: 100009

Description:

SandBlast Trojan Alert

Repository: Group: ThreatAnalysis Type: event

Default Status:

Disabled

Tags:  
CheckPoint SandBlast
   

Selector:

Query:

Filters:

Field MUST hit
@checkpoint_sb.infection_category Trojan
@event_type @checkpoint_sb
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@checkpoint_sb.suser username security alert

Risks:

Risks Base Score Dimension
ALERT_HIGH_CONFIDENCE 2000 alert
ALERT_END_POINT 800 alert

Attributes:

Alias Key
Username @checkpoint_sb.suser
Description @checkpoint_sb.CEF_Name
IP @checkpoint_sb.src
Customer @customer
Hostname @checkpoint_sb.shost
OS @checkpoint_sb.os_name
Confidence @checkpoint_sb.flexNumber1
Severity @checkpoint_sb.cp_severity
FilePath @checkpoint_sb.fname
FileHash @checkpoint_sb.fileHash

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @checkpoint_sb.suser
  Risks: ML_NEW_USER
NewAlert 10 days @checkpoint_sb.CEF_Name
  Risks: ML_NEW_ALERT

History:

User Date
em*n@fluencysecurity.com 2021 Feb 24 18:57:51 EST
je*y@fortify24x7.com 2021 Mar 8 12:05:49 EST

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)