Checkpoint_Malware_Alert_Severity_Medium
ID: 100265
Description:
Alerts from Checkpoint “AntiVirus” events. Severity Medium
Exception list for ISPs: Checkpoint_Malware_Alert_Exceptions_ISP
Repository: Fluency Group: Checkpoint Type: event
Default Status:
Enabled
| Tags: | |
|---|---|
| Checkpoint | Lua |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @checkpoint.protection_name | exist (boolean) |
| @checkpoint.protection_type | exist (boolean) |
| @checkpoint.product | New Anti Virus |
| @checkpoint.src_user_name | exist (boolean) |
| @checkpoint.severity | 4 |
| Field | MUST NOT hit |
|---|---|
| @checkpoint._ip.isp | entity: [ Checkpoint_Malware_Alert_Exceptions_ISP ] |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @checkpoint.src_user_name | username | security alert |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_NORMAL | 100 | alert |
Attributes:
| Alias | Key |
|---|---|
| ProtectionName | @checkpoint.protection_name |
| ProtectionType | @checkpoint.protection_type |
| SourceMachineName | @checkpoint.src_machine_name |
| MalwareAction | @checkpoint.malware_action |
| MalwareFamily | @checkpoint.malware_family |
| Severity | @checkpoint.severity |
| Action | @checkpoint.action |
| DestinationIP | @checkpoint.dst |
| ISP | @checkpoint._ip.isp |
| UserName | @checkpoint.src_user_name |
| SourceIP | @checkpoint.src |
| Resource | @checkpoint.resource |
| Referrer | @checkpoint.referrer |
| DNSDomain | @checkpoint.dns_domain |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewUser | 10 days | @checkpoint.src_user_name |
| Risks: | ML_NEW_USER | |
| NewDestinationIP | 10 days | @checkpoint.dst |
| Risks: | ML_NEW_IP | |
| NewSourceMachine | 10 days | @checkpoint.src_machine_name |
| Risks: | ML_NEW_ASSET | |
| NewSourcEIP | 10 days | @checkpoint.src |
| Risks: | ML_NEW_IP | |
| NewMalware | 10 days | @checkpoint.protection_name |
| Risks: | ALERT_MALWARE |
History:
| User | Date |
|---|---|
| — | 2021 May 14 08:42:47 EDT |
| — | 2021 May 24 08:41:50 EDT |
| — | 2021 May 24 14:52:18 EDT |
| ho*d@fluencysecurity.com | 2021 Sep 30 12:08:41 EDT |
| ho*d@fluencysecurity.com | 2021 Nov 30 14:27:12 EST |
| ho*d@fluencysecurity.com | 2022 Apr 14 11:05:55 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)