Link Search Menu Expand Document

Checkpoint_Malware_Alert_Severity_Medium

ID: 100265

Description:

Alerts from Checkpoint “AntiVirus” events. Severity Medium

Exception list for ISPs: Checkpoint_Malware_Alert_Exceptions_ISP

Repository: Fluency Group: Checkpoint Type: event

Default Status:

Enabled

Tags:  
Checkpoint Lua
   

Selector:

Query:

Filters:

Field MUST hit
@checkpoint.protection_name exist (boolean)
@checkpoint.protection_type exist (boolean)
@checkpoint.product New Anti Virus
@checkpoint.src_user_name exist (boolean)
@checkpoint.severity 4
Field MUST NOT hit
@checkpoint._ip.isp entity: [ Checkpoint_Malware_Alert_Exceptions_ISP ]

Behavior Rule:

Key Type Behavior Category
@checkpoint.src_user_name username security alert

Risks:

Risks Base Score Dimension
ALERT_NORMAL 100 alert

Attributes:

Alias Key
ProtectionName @checkpoint.protection_name
ProtectionType @checkpoint.protection_type
SourceMachineName @checkpoint.src_machine_name
MalwareAction @checkpoint.malware_action
MalwareFamily @checkpoint.malware_family
Severity @checkpoint.severity
Action @checkpoint.action
DestinationIP @checkpoint.dst
ISP @checkpoint._ip.isp
UserName @checkpoint.src_user_name
SourceIP @checkpoint.src
Resource @checkpoint.resource
Referrer @checkpoint.referrer
DNSDomain @checkpoint.dns_domain

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @checkpoint.src_user_name
  Risks: ML_NEW_USER
NewDestinationIP 10 days @checkpoint.dst
  Risks: ML_NEW_IP
NewSourceMachine 10 days @checkpoint.src_machine_name
  Risks: ML_NEW_ASSET
NewSourcEIP 10 days @checkpoint.src
  Risks: ML_NEW_IP
NewMalware 10 days @checkpoint.protection_name
  Risks: ALERT_MALWARE

History:

User Date
2021 May 14 08:42:47 EDT
2021 May 24 08:41:50 EDT
2021 May 24 14:52:18 EDT
ho*d@fluencysecurity.com 2021 Sep 30 12:08:41 EDT
ho*d@fluencysecurity.com 2021 Nov 30 14:27:12 EST
ho*d@fluencysecurity.com 2022 Apr 14 11:05:55 EDT

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)