Link Search Menu Expand Document

Checkpoint_Malware_Alert_Severity_High

ID: 100266

Description:

Alerts from Checkpoint “AntiVirus” events. Severity High

Exception list for ISPs: Checkpoint_Malware_Alert_Exceptions_ISP

Repository: Fluency Group: Checkpoint Type: event

Default Status:

Enabled

Tags:  
Checkpoint Lua
   

Selector:

Query:

Filters:

Field MUST hit
@checkpoint.protection_name exist (boolean)
@checkpoint.protection_type exist (boolean)
@checkpoint.product New Anti Virus
@checkpoint.src_user_name exist (boolean)
@checkpoint.severity 5
Field MUST NOT hit
@checkpoint._ip.isp entity: [ Checkpoint_Malware_Alert_Exceptions_ISP ]

Behavior Rule:

Key Type Behavior Category
@checkpoint.src_user_name username security alert

Risks:

Risks Base Score Dimension
ALERT_NORMAL 100 alert

Attributes:

Alias Key
ProtectionName @checkpoint.protection_name
ProtectionType @checkpoint.protection_type
SourceMachineName @checkpoint.src_machine_name
MalwareAction @checkpoint.malware_action
MalwareFamily @checkpoint.malware_family
Severity @checkpoint.severity
Action @checkpoint.action
DestinationIP @checkpoint.dst
ISP @checkpoint._ip.isp
UserName @checkpoint.src_user_name
SourceIP @checkpoint.src

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @checkpoint.src_user_name
  Risks: ML_NEW_USER
NewDestinationIP 10 days @checkpoint.dst
  Risks: ML_NEW_IP
NewSourceMachine 10 days @checkpoint.src_machine_name
  Risks: ML_NEW_ASSET
NewSourcEIP 10 days @checkpoint.src
  Risks: ML_NEW_IP
NewMalware 10 days @checkpoint.protection_name
  Risks: ALERT_MALWARE

History:

User Date
2021 May 14 08:44:13 EDT
2021 May 14 08:46:09 EDT
2021 May 24 08:41:02 EDT
2021 May 24 14:51:21 EDT
ho*d@fluencysecurity.com 2021 Sep 30 12:07:39 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)