Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (34)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.bytesReceived Number of bytes received through the firewall session. | checkpoint.received_bytes | plong |
gen.firewall.bytesSent Number of bytes sent through the firewall session. | checkpoint.sent_bytes | plong |
gen.dest.ip Destination IP address. | checkpoint.dst checkpoint.dst_ip checkpoint.proxied_server_ip checkpoint.peer_ip checkpoint.peer_gateway checkpoint.Dst | text_general |
gen.src.ip Source IP address. | checkpoint.src checkpoint.src_ip checkpoint.Subscriber checkpoint.client_ip | text_general |
gen.username Username associated with the event. | checkpoint.dst_user_name checkpoint.src_user_name checkpoint.user checkpoint.src_user_dn checkpoint.proxy_user_name checkpoint.proxy_user_dn checkpoint.ftp_user checkpoint.scv_user checkpoint.user_name checkpoint.Process_Username checkpoint.administrator | text_general |
gen.mail.subject Subject line of the email. | checkpoint.email_subject checkpoint.dlp_subject checkpoint.subject | strings |
gen.mail.sender Email address of the message sender. | checkpoint.from checkpoint.mime_from | strings |
gen.mail.receiver Email address of the message recipient. | checkpoint.to checkpoint.dlp_recipients checkpoint.mime_to checkpoint.cc checkpoint.bcc | strings |
gen.file.name File name associated with the event. | checkpoint.file_name checkpoint.top_archive_file_name checkpoint.dlp_file_name checkpoint.matched_file checkpoint.files_names | strings |
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | checkpoint.interfacedir checkpoint.conn_direction checkpoint.file_direction checkpoint.Direction checkpoint.i_f_dir | strings |
gen.firewall.rule Firewall rule that triggered the event. | checkpoint.rule checkpoint.app_rule_id checkpoint.app_rule_name checkpoint.ep_rule_id checkpoint.match_table.rule_name | strings |
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | checkpoint.rule_action checkpoint.action checkpoint.Action checkpoint.match_table.rule_action | strings |
gen.product Product name or component generating the log. | checkpoint.product checkpoint.client_name | strings |
gen.av.action Action taken by antivirus (e.g., blocked, quarantined, cleaned). | checkpoint.malware_action | strings |
gen.av.infectionCategory Category of detected malware or infection. | checkpoint.malware_family checkpoint.spyware_type checkpoint.anti_virus_type checkpoint.infection_category | strings |
gen.av.infectionName Name of the detected infection or malware. | checkpoint.protection_name checkpoint.spyware_name | strings |
gen.av.status Status of the antivirus event (e.g., success, failure). | checkpoint.verdict checkpoint.scan_result | strings |
gen.proxy.endpoint Destination endpoint accessed through the proxy. | checkpoint.resource checkpoint.url checkpoint.outgoing_url checkpoint.http_location checkpoint.Resource | string |
gen.dns.domain Queried DNS domain name. | checkpoint.tls_server_host_name checkpoint.certificate_resource checkpoint.query checkpoint.dns_query checkpoint.domain_name | strings |
gen.proxy.userAgent User agent string from the HTTP request. | checkpoint.web_client_type checkpoint.user_agent | string |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | checkpoint.proto checkpoint.protocol checkpoint.dlp_transport checkpoint.voip_reg_ipp | strings |
gen.src.port Source port number. | checkpoint.s_port checkpoint.src_port | pint |
gen.hostname Normalized hostname of the system generating the log. | checkpoint.origin checkpoint.icap_server_name checkpoint.src_machine_name checkpoint.proxy_machine_name checkpoint.dst_machine_name checkpoint.machine checkpoint.orig | text_general |
gen.severity Normalized severity field across log sources. | checkpoint.severity checkpoint.Severity | strings |
gen.src.interface Network interface used for the source connection. | checkpoint.client_inbound_interface checkpoint.source_interface | strings |
gen.proxy.referrer HTTP referrer header value. | checkpoint.referrer | string |
gen.mail.size Size of the email in bytes. | checkpoint.message_size | plong |
gen.file.path Full file path associated with the event. | checkpoint.dlp_repository_root_path checkpoint.source_path checkpoint.destination_path checkpoint.remediation_file checkpoint.remediated_files checkpoint.impacted_files | strings |
gen.proxy.httpStatus HTTP response status code from the proxy. | checkpoint.status | pint |
gen.group User group associated with the event. | checkpoint.src_user_group checkpoint.user_group | strings |
gen.dns.record DNS record type (e.g., A, AAAA, MX). | checkpoint.dns_type | strings |
gen.proxy.method HTTP request method (e.g., GET, POST). | checkpoint.method | string |
gen.process.process Name of the process. | checkpoint.process checkpoint.program_name | string |
gen.dest.port Destination port number. | checkpoint.service checkpoint.port | pint |
Reference-Specific Fields (643)
| Field | Type |
|---|---|
checkpoint.bytes Total number of bytes observed for the connection/session | plong |
checkpoint.received_bytes Number of bytes received during the connection | plong |
checkpoint.sent_bytes | plong |
checkpoint.confidence_level ThreatCloud confidence level of the detection | string |
checkpoint.calc_desc Concise description for the log/event | text_general |
checkpoint.reason Reason or explanation for the action/decision | text_general |
checkpoint.message General or special log message text | text_general |
checkpoint.fw_message Firewall message for error or status conditions | text_general |
checkpoint.dst Destination IP address | string |
checkpoint.dst_ip Destination IP address | string |
checkpoint.dst_country Destination country derived from the destination IP | string |
checkpoint.src Source IP address | string |
checkpoint.src_ip Source IP address | string |
checkpoint.src_country Source country derived from the source IP | string |
checkpoint.dst_user_name Username associated with the destination IP | string |
checkpoint.src_user_name Username associated with the source IP | string |
checkpoint.user Source username for the connection or event | string |
checkpoint.email_id Internal email identifier within SMTP connection | string |
checkpoint.email_subject Original email subject | text_general |
checkpoint.email_session_id Internal email session identifier | string |
checkpoint.from Sender email address | string |
checkpoint.to Recipient email address | string |
checkpoint.file_id Unique file identifier assigned by the product | plong |
checkpoint.file_type Classified file type or MIME/extension | string |
checkpoint.file_name File name associated with the transaction or detection | string |
checkpoint.file_size Size of the file in bytes | plong |
checkpoint.file_md5 MD5 hash of the file | string |
checkpoint.file_sha1 SHA1 hash of the file | string |
checkpoint.file_sha256 SHA256 hash of the file | string |
checkpoint.id Override application identifier | plong |
checkpoint.log_id Unique log identity (type, family, product/blade, category) | plong |
checkpoint.loguid Unified log UUID | string |
checkpoint.session_id Log/session unique identifier | string |
checkpoint.ticket_id Unique ticket ID per file | string |
checkpoint.interface_name Security Gateway interface name through which the connection passed | string |
checkpoint.interfacedir Connection direction designation | string |
checkpoint.conn_direction Direction of the connection | string |
checkpoint.layer_name Matched layer or Threat Prevention match table name | string |
checkpoint.layer_uuid Matched layer UUID | string |
checkpoint.policy Threat Prevention policy name fetched by the gateway | string |
checkpoint.policy_mgmt Management Server name managing this Security Gateway | string |
checkpoint.policy_name Access/Threat policy name in effect | string |
checkpoint.rule Matched rule number in the policy | pint |
checkpoint.rule_action Action of the matched Access Control rule | string |
checkpoint.rule_name Name of the matched Access Control rule | string |
checkpoint.rule_uid Rule unique identifier within Access Control policy | string |
checkpoint.product Blade or component that generated the event | string |
checkpoint.product_family Product family classification (e.g., Network, Endpoint) | string |
checkpoint.fw_subproduct Firewall subproduct (e.g., VPN/non-VPN) | string |
checkpoint.malware_action Detailed action or behavior associated with the malware detection | text_general |
checkpoint.malware_family Malware family or protection information | string |
checkpoint.malware_rule_id Threat Prevention rule identifier | string |
checkpoint.malware_rule_name Threat Prevention rule name | string |
checkpoint.protection_id Protection malware identifier | string |
checkpoint.protection_name Detection or signature name | string |
checkpoint.protection_type Type/source of detection or protection | string |
checkpoint.verdict Engine verdict or HTTP enforcement decision | string |
checkpoint.scan_result Scan outcome such as infected or failure description | string |
checkpoint.resource Requested resource (URL, path, domain, or analyzed asset reference) | text_general |
checkpoint.tls_server_host_name TLS SNI or certificate CN used for categorization | string |
checkpoint.web_client_type Web client type (browser family) detected in HTTP request | string |
checkpoint.web_server_type Web server type detected in the HTTP response | string |
checkpoint.vendor_list Vendor name that provided a malicious URL verdict | string |
checkpoint.proxy_src_ip Proxied source IP address | string |
checkpoint.xff_injected_header Original client IP address seen via XFF | string |
checkpoint.proto IP protocol identifier or name | string |
checkpoint.protocol Application or detected connection protocol | string |
checkpoint.s_port Source port number | pint |
checkpoint.src_port Source port number | pint |
checkpoint.service_id Service identified for the connection (derived from destination port) | string |
checkpoint.origin Name of the first Security Gateway that reported the event | string |
checkpoint.origin_ip IP address of the Security Gateway that generated the log | string |
checkpoint.origin_sic_name SIC name of the Security Gateway | string |
checkpoint.severity Threat severity level | string |
checkpoint.source_os Operating system of the source host | string |
checkpoint.host_type Host type or device class (e.g., desktop, laptop) | string |
checkpoint.inzone Source zone (e.g., internal/external) | string |
checkpoint.outzone Destination zone (e.g., internal/external) | string |
checkpoint.sub_policy_name Sub-policy or layer name | string |
checkpoint.sub_policy_uid Sub-policy or layer UID | string |
checkpoint.sctp_error SCTP error cause when out-of-state | string |
checkpoint.chunk_type SCTP chunk type involved | string |
checkpoint.sctp_association_state SCTP association state in transition | string |
checkpoint.tcp_packet_out_of_state TCP state violation description | string |
checkpoint.tcp_flags TCP flags observed | string |
checkpoint.tcp_state TCP state change log description | string |
checkpoint.ip_option IP option value that was dropped | pint |
checkpoint.time Timestamp when the log was created | pdate |
checkpoint.start_time Session start time | pdate |
checkpoint.expire_time Connection closing time | pdate |
checkpoint.elapsed Elapsed time since session start | plong |
checkpoint.event_count Number of events associated with this log aggregation | plong |
checkpoint.packets_per_second Packet rate during the connection | pint |
checkpoint.packets Total number of packets in the connection | plong |
checkpoint.client_inbound_packets Number of packets received by the client | plong |
checkpoint.client_outbound_packets Number of packets sent from the client | plong |
checkpoint.server_inbound_packets Number of packets received by the server | plong |
checkpoint.server_outbound_packets Number of packets sent from the server | plong |
checkpoint.client_inbound_bytes Number of bytes received by the client | plong |
checkpoint.client_outbound_bytes Number of bytes sent from the client | plong |
checkpoint.server_inbound_bytes Number of bytes received by the server | plong |
checkpoint.server_outbound_bytes Number of bytes sent from the server | plong |
checkpoint.client_inbound_interface Gateway interface where an outbound connection is received from the client side | string |
checkpoint.client_outbound_interface Gateway interface where an inbound connection is sent from on the client side | string |
checkpoint.server_inbound_interface Gateway interface where an inbound connection is received on the server side | string |
checkpoint.server_outbound_interface Gateway interface where an outbound connection is sent on the server side | string |
checkpoint.icmp ICMP message associated with the connection | string |
checkpoint.icmp_type ICMP type value when protocol is ICMP | pint |
checkpoint.icmp_code ICMP code value when protocol is ICMP | pint |
checkpoint.rpc_prog RPC program value for new RPC state | pint |
checkpoint.capture_uuid UUID for packet capture associated with this log | string |
checkpoint.packet_length Observed packet length | string |
checkpoint.expected_length Expected packet length | string |
checkpoint.diameter_app_name Diameter application name | string |
checkpoint.diameter_app_ID Diameter application ID | pint |
checkpoint.diameter_cmd_code Diameter command code | pint |
checkpoint.diameter_msg_type Diameter message type | string |
checkpoint.info Additional rule or special message information | text_general |
checkpoint.cp_message General message text from the product | text_general |
checkpoint.log_delay Delay (seconds) before sending aggregated Accept Template log | pint |
checkpoint.connection_count Number of connections represented | plong |
checkpoint.active_conn_elapsed Total connection time for active connection | plong |
checkpoint.during_sec Connection duration in seconds | plong |
checkpoint.fragments_dropped Number of dropped fragments | plong |
checkpoint.ip_offset IP fragment offset | pint |
checkpoint.email_spam_category Email spam categorization | string |
checkpoint.email_control Email security engine name | string |
checkpoint.email_control_analysis Classification details from spam engine | string |
checkpoint.email_recipients_num Number of recipients for the email | pint |
checkpoint.original_queue_id Original Postfix email queue ID | string |
checkpoint.failure_impact Impact of update service failure | string |
checkpoint.information Status of policy installation for a specific blade | string |
checkpoint.app_category Application primary category | string |
checkpoint.matched_category Matched category name from policy/match table | string |
checkpoint.appi_name Application name or requested website domain (domain only) | string |
checkpoint.app_desc Application description | string |
checkpoint.connectivity_level Connectivity level for new connection in wire mode | string |
checkpoint.scan_direction Scan direction relative to gateway and zones | string |
checkpoint.isp_link ISP link name associated with the message | string |
checkpoint.indicator_name Indicator of Compromise (IoC) name | string |
checkpoint.indicator_description Description of the IoC | text_general |
checkpoint.indicator_reference Reference for the IoC | string |
checkpoint.indicator_uuid UUID of the IoC indicator | string |
checkpoint.observable_name Observable signature name | string |
checkpoint.observable_id Observable signature ID | string |
checkpoint.observable_comment Observable signature description/comment | text_general |
checkpoint.risk Risk level as assessed by the engine or application | string |
checkpoint.sequencenum Sequence number to order logs with identical timestamps and origin | plong |
checkpoint.app_id Numeric identifier of the detected application (match table) | pint |
checkpoint.app_properties All application categories the traffic matched (match table) | strings |
checkpoint.app_risk Application risk score in range 0–5 (0=Unknown, 5=Critical) | pint |
checkpoint.app_rule_id Identifier/number of the matched application control rule | string |
checkpoint.app_rule_name Name of the matched application control rule | string |
checkpoint.app_sig_id Signature ID used to detect the application (match table) | string |
checkpoint.categories Categories matched for the application | strings |
checkpoint.certificate_resource HTTPS resource used for categorization (SNI hostname or certificate DN) | string |
checkpoint.certificate_validation Precise error describing HTTPS certificate validation failure | string |
checkpoint.description Blade-specific additional information or explanation about HTTPS validation result | text_general |
checkpoint.usercheck_incident_uid UserCheck incident identifier | string |
checkpoint.usercheck_reference UserCheck reference information | string |
checkpoint.browse_time Accumulated browse time for the application session | pint |
checkpoint.limit_requested Indicator whether a data limit was requested for the session | pint |
checkpoint.limit_applied Indicator whether a data limit was applied to the session | pint |
checkpoint.dropped_outgoing Number of outgoing packets or bytes dropped due to limit (context dependent) | pint |
checkpoint.dropped_incoming Number of incoming packets or bytes dropped due to limit (context dependent) | pint |
checkpoint.dropped_total Total dropped packets/bytes (incoming+outgoing) under limit enforcement | pint |
checkpoint.suppressed_logs Count of connections/sessions aggregated into this log entry | pint |
checkpoint.match_id Internal mapping key of matched rule to matched application (match table) | pint |
checkpoint.client_type_os Client operating system as detected from HTTP request | string |
checkpoint.referrer HTTP referrer value indicating the previous web page address | string |
checkpoint.name Detected application name | string |
checkpoint.properties Application categories associated to the application (match table) | strings |
checkpoint.sig_id Signature ID by which the application was detected | string |
checkpoint.desc Override text for the application description | string |
checkpoint.referrer_self_uid UUID of the current log entry in referrer chain | string |
checkpoint.referrer_parent_uid UUID of the referring parent application log entry | string |
checkpoint.needs_browse_time Indicator whether browse time calculation is required for the connection | pint |
checkpoint.security_inzone Source security zone | string |
checkpoint.security_outzone Destination security zone | string |
checkpoint.url Matched or translated URL associated with the event | string |
checkpoint.outgoing_url Outgoing or internal (untranslated) URL related to HTTP POST or session | string |
checkpoint.app_byte_ps_in Incoming application traffic rate in Bytes per Second | pint |
checkpoint.app_byte_ps_out Outgoing application traffic rate in Bytes per Second | pint |
checkpoint.app_pack_ps_in Incoming application traffic rate in Packets per Second | pint |
checkpoint.app_pack_ps_out Outgoing application traffic rate in Packets per Second | pint |
checkpoint.matched_application Name of the application matched by policy | string |
checkpoint.cluster_info Cluster-related information such as failover reasons or state changes | string |
checkpoint.sync Synchronization status and reason (e.g., stable, at risk) | string |
checkpoint.file_direction File transfer direction (Upload/Download) | string |
checkpoint.invalid_file_size Validity indicator for the 'file_size' field; 0 means valid | pint |
checkpoint.top_archive_file_name Name of the top-level file within an archive that was transferred | string |
checkpoint.data_type_name Matched data type name from rulebase | string |
checkpoint.specific_data_type_name Matched data type in compound/group scenarios | string |
checkpoint.word_list Words or phrases matched by the data type | strings |
checkpoint.dlp_rule_name Name of the matched DLP rule | string |
checkpoint.dlp_recipients Mail recipients as detected by DLP | strings |
checkpoint.dlp_subject Mail subject associated with the DLP event | string |
checkpoint.dlp_word_list Phrases matched by the DLP data type | strings |
checkpoint.dlp_template_score Template data type match score | string |
checkpoint.message_size Size of the mail or HTTP post message | pint |
checkpoint.dlp_rule_uid Unique identifier of the matched DLP rule | string |
checkpoint.dlp_incident_uid Unique identifier (GUID) of the DLP incident | string |
checkpoint.dlp_related_incident_uid GUID of another incident related to this one | string |
checkpoint.dlp_data_type_name Name of the matched DLP data type (incl. fingerprint types) | string |
checkpoint.dlp_data_type_uid Unique ID of the matched DLP data type | string |
checkpoint.dlp_file_name Name of the file that matched DLP inspection | string |
checkpoint.dlp_violation_description User-facing description of the DLP violation as defined in policy | text_general |
checkpoint.dlp_relevant_data_types In group/compound cases, the inner data types that were matched | string |
checkpoint.dlp_action_reason Reason for the selected DLP action | string |
checkpoint.dlp_categories Category of the matched data type | strings |
checkpoint.dlp_transint Transport involved (HTTP/SMTP/FTP) as per DLP component | string |
checkpoint.duplicate Indicates duplicate logging (e.g., split mail detected twice) | string |
checkpoint.incident_extension Format of the original data related to the incident | string |
checkpoint.matched_file Fingerprint repository file that matched the inspected traffic | string |
checkpoint.matched_file_text_segments Number of text segments matched in the fingerprint comparison | pint |
checkpoint.matched_file_percentage Match percentage of traffic against the fingerprinted file | pint |
checkpoint.dlp_addtional_action Additional DLP action applied (e.g., Watermark) | string |
checkpoint.dlp_watermark_profile Watermark profile applied by DLP | string |
checkpoint.dlp_repository_id Identifier of the scanned repository | string |
checkpoint.dlp_repository_root_path Root path of the scanned repository | string |
checkpoint.scan_id Identifier of the DLP scan (sequential/internal) | string |
checkpoint.special_properties Flag used to hide progress-monitoring logs (1=hide) | pint |
checkpoint.dlp_repository_total_size Total size of repository in MB | pint |
checkpoint.dlp_repository_files_number Total number of files in repository | pint |
checkpoint.dlp_repository_scanned_files_number Number of files scanned in repository | pint |
checkpoint.duration Duration of the scan | pint |
checkpoint.dlp_fingerprint_long_status Verbose status of the fingerprinting scan | string |
checkpoint.dlp_fingerprint_short_status Short status code of the fingerprinting scan | string |
checkpoint.dlp_repository_directories_number Number of directories in repository | pint |
checkpoint.dlp_repository_unreachable_directories_number Number of directories that were not readable | pint |
checkpoint.dlp_fingerprinted_files_number Number of files successfully fingerprinted | pint |
checkpoint.dlp_repository_skipped_files_number Number of files skipped due to configuration | pint |
checkpoint.dlp_repository_scanned_directories_number Number of directories scanned | pint |
checkpoint.number_of_errors Number of files that failed to scan due to errors | pint |
checkpoint.next_scheduled_scan_date Timestamp of the next scheduled scan per time object | pdate |
checkpoint.dlp_repository_scanned_total_size Total scanned size in MB | pint |
checkpoint.dlp_repository_reached_directories_number Number of reachable/scanned directories | pint |
checkpoint.dlp_repository_not_scanned_directories_percentage Percentage of directories that were not scanned due to access issues | pint |
checkpoint.speed Current scan speed | pint |
checkpoint.dlp_repository_scan_progress Repository scan progress in percent | pint |
checkpoint.dlp_transport Transport protocol of the incident (HTTP, FTP, SMTP) | string |
checkpoint.https_inspection_action HTTPS Inspection decision (Inspect/Bypass/Error) | string |
checkpoint.https_inspection_rule_id Identifier of the matched HTTPS Inspection rule | string |
checkpoint.https_inspection_rule_name Name of the matched HTTPS Inspection rule | string |
checkpoint.bypass_reason Reason explaining HTTPS bypass decision | string |
checkpoint.reject_reason Reason explaining HTTPS reject decision | string |
checkpoint.details Detailed information regarding the action reason | text_general |
checkpoint.failure_details Detailed information about the HTTPS inspection failure | text_general |
checkpoint.reason_description General description of the action reason | text_general |
checkpoint.failure_type Type of failure in HTTPS connection (server/client/other) | string |
checkpoint.tls_alert_received TLS alert received by the gateway from the HTTPS server | string |
checkpoint.https_validation Certificate validation result/error for HTTPS inspection | string |
checkpoint.gateway_to_server_tls_version TLS version between Security Gateway and HTTPS server | string |
checkpoint.client_to_gateway_tls_version TLS version between client and Security Gateway | string |
checkpoint.gateway_to_server_ciphers Cipher suite negotiated between Security Gateway and server | string |
checkpoint.client_to_gateway_ciphers Cipher suite negotiated between client and Security Gateway | string |
checkpoint.proxied_server_ip IP address of the proxied HTTPS server | string |
checkpoint.status Status value; may indicate bypass mode state or HTTP status code depending on context | string |
checkpoint.icap_service_id ICAP service identifier (supports multiple servers/services) | pint |
checkpoint.icap_server_name ICAP server name | string |
checkpoint.internal_error Internal error information for troubleshooting | string |
checkpoint.icap_more_info Free-text ICAP verdict details | string |
checkpoint.reply_status ICAP reply status code (e.g., 200, 204) | pint |
checkpoint.icap_server_service Service name from the ICAP URI | string |
checkpoint.mirror_and_decrypt_type Information about decrypt-and-forward/mirroring behavior | string |
checkpoint.session_uid Session identifier (HTTP/SNX/Mobile Access) | string |
checkpoint.broker_publisher IP address of the broker publisher that shared session info | string |
checkpoint.src_machine_name Machine name associated with the source IP address | string |
checkpoint.src_user_dn User distinguished name linked to the source IP address | string |
checkpoint.src_user_group User group name associated with the source | string |
checkpoint.proxy_user_name Username associated with the proxy IP address | string |
checkpoint.proxy_machine_name Machine name associated with the proxy IP address | string |
checkpoint.proxy_user_dn User distinguished name associated with the proxy IP address | string |
checkpoint.dst_machine_name Machine name associated with the destination IP address | string |
checkpoint.identity_type Type of identity involved (user or machine) | string |
checkpoint.query DNS query name requested | string |
checkpoint.dns_query DNS query name requested | string |
checkpoint.dns_type DNS record type requested | string |
checkpoint.inspection_item Blade element that performed the inspection | string |
checkpoint.performance_impact Protection performance impact indicator | pint |
checkpoint.inspection_category Inspection category such as protocol anomaly or signature | string |
checkpoint.inspection_profile Threat prevention profile which the protection belongs to | string |
checkpoint.inspection_information Attack or violation description | string |
checkpoint.summary Summary text (e.g., for non-compliant DNS drops or detected URLs per host) | text_general |
checkpoint.tid DNS transaction identifier | pint |
checkpoint.dns_message_type DNS message type (Query/Response/Authoritative response) | string |
checkpoint.question_rdata List of domain names in the question section | strings |
checkpoint.answer_rdata Answer resource records corresponding to the question | strings |
checkpoint.authority_rdata List of authoritative servers in the response | strings |
checkpoint.additional_rdata Additional resource records included in the response | strings |
checkpoint.files_names List of files requested by FTP | strings |
checkpoint.ftp_user FTP username used in the session | string |
checkpoint.mime_from Sender email address (MIME From) | string |
checkpoint.mime_to Recipient email address list (MIME To) | strings |
checkpoint.cc CC recipient addresses | strings |
checkpoint.bcc BCC recipient addresses | strings |
checkpoint.content_type Content type (mail MIME type or VoIP session descriptor, depending on context) | string |
checkpoint.subject Mail subject or audit category label (context dependent) | string |
checkpoint.user_agent String that identifies the requesting software user-agent | string |
checkpoint.http_location Response header indicating the URL to redirect a page to | string |
checkpoint.content_disposition Indicates how the content is expected to be displayed inline in the web browser | string |
checkpoint.via "Via" header added by proxies to track request hops and avoid loops | string |
checkpoint.http_server Server HTTP header value identifying origin server software | string |
checkpoint.content_length Size of the HTTP message body in bytes | plong |
checkpoint.method HTTP method used by the request | string |
checkpoint.authorization Authorization HTTP header value | text_general |
checkpoint.http_host Domain name of the server the HTTP request is sent to | string |
checkpoint.industry_reference CVE registry entry or industry reference identifier | string |
checkpoint.inspection_settings_log Indicates that the log was released by inspection settings | string |
checkpoint.caused_quarantine Indicates whether the attack caused a quarantine | string |
checkpoint.email_message_id Email session identifier (unique ID of the mail) | string |
checkpoint.email_queue_id Postfix email queue ID | string |
checkpoint.email_queue_name Postfix email queue name | string |
checkpoint.failure_reason Mail transfer failure description or remediation failure details | text_general |
checkpoint.email_headers String containing all the email headers | text_general |
checkpoint.arrival_time Email arrival timestamp | pdate |
checkpoint.email_status Email processing state (e.g., delivered, deferred, bounced, scan_started, scan_ended) | string |
checkpoint.status_update Timestamp when the log was last updated | pdate |
checkpoint.scan_started Beginning of the scanning process timestamp | pdate |
checkpoint.scan_ended End of the scanning process timestamp | pdate |
checkpoint.delivery_time Timestamp when the email was delivered | pdate |
checkpoint.links_num Number of links found in the email | pint |
checkpoint.attachments_num Number of attachments in the email | pint |
checkpoint.email_content Classification of mail contents (attachments/links/text only) | string |
checkpoint.user_group Group to which the user belongs upon login | string |
checkpoint.cvpn_resource Mobile Access application/resource | string |
checkpoint.cvpn_category Mobile Access application type or ESOD category | string |
checkpoint.reject_id Reject ID shown on Mobile Access error pages | string |
checkpoint.allocated_ports Amount of allocated NAT ports | pint |
checkpoint.capacity Capacity of the NAT ports | pint |
checkpoint.ports_usage Percentage of allocated NAT ports | pint |
checkpoint.nat_exhausted_pool Identifier (4-tuple) of an exhausted NAT pool | text_general |
checkpoint.xlatesrc Source IP address after applying NAT | string |
checkpoint.xlatedst Destination IP address after applying NAT | string |
checkpoint.xlatesint Source port after Hide NAT on the source IP address | pint |
checkpoint.xlatedint Destination port after NAT | pint |
checkpoint.nat_rulenum Matched NAT rule number | pint |
checkpoint.nat_addtnl_rulenum Second matched automatic NAT rule (0 if none) | pint |
checkpoint.message_info Informational message, e.g., multicast packet dropped or NAT connection ended | text_general |
checkpoint.nat46 NAT46 status (often "enabled") | string |
checkpoint.end_time TCP connection end time | pdate |
checkpoint.tcp_end_reason Reason for TCP connection closure | string |
checkpoint.cgnat CGNAT allocation details for a specific subscriber | string |
checkpoint.Subscriber Subscriber source IP address before CGNAT | string |
checkpoint.hide_ip Source IP address used after CGNAT | string |
checkpoint.int_start Subscriber start integer for NAT allocation | pint |
checkpoint.int_end Subscriber end integer for NAT allocation | pint |
checkpoint.drop_reason Drop reason description or aggregated drop reason | text_general |
checkpoint.packet_amount Number of packets dropped | pint |
checkpoint.monitor_reason Aggregated logs of monitored packets reason | string |
checkpoint.drops_amount Amount of multicast packets dropped | pint |
checkpoint.securexl_message SecureXL message (e.g., missed accounting after heavy load or firewall drop message) | text_general |
checkpoint.conns_amount Number of connections in the aggregated log | pint |
checkpoint.aggregation_info List of aggregated source connections | text_general |
checkpoint.scope IP address related to the attack | string |
checkpoint.analyzed_on Asset used for emulation (e.g., Threat Emulation Cloud, Appliance, Harmony Local Cache) | string |
checkpoint.detected_on System/app versions on which the file was emulated (vulnerable operating systems) | string |
checkpoint.dropped_file_name Names dropped from the original file | string |
checkpoint.dropped_file_type File types dropped from the original file | string |
checkpoint.dropped_file_hash File hashes dropped from the original file | string |
checkpoint.dropped_file_verdict Verdicts for files dropped from the original file | string |
checkpoint.emulated_on Images/OS where the files were emulated (not vulnerable) | string |
checkpoint.extracted_file_type Types of extracted files in case of an archive | string |
checkpoint.extracted_file_names Names of extracted files in case of an archive | strings |
checkpoint.extracted_file_hash Archive hash when files were extracted | string |
checkpoint.extracted_file_verdict Verdict of extracted files in case of an archive | string |
checkpoint.extracted_file_uid UID of extracted files in case of an archive | string |
checkpoint.mitre_initial_access MITRE tactic: Initial Access | string |
checkpoint.mitre_execution MITRE tactic: Execution | string |
checkpoint.mitre_persistence MITRE tactic: Persistence | string |
checkpoint.mitre_privilege_escalation MITRE tactic: Privilege Escalation | string |
checkpoint.mitre_defense_evasion MITRE tactic: Defense Evasion | string |
checkpoint.mitre_credential_access MITRE tactic: Credential Access | string |
checkpoint.mitre_discovery MITRE tactic: Discovery | string |
checkpoint.mitre_lateral_movement MITRE tactic: Lateral Movement | string |
checkpoint.mitre_collection MITRE tactic: Collection | string |
checkpoint.mitre_command_and_control MITRE tactic: Command and Control | string |
checkpoint.mitre_exfiltration MITRE tactic: Exfiltration | string |
checkpoint.mitre_impact MITRE tactic: Impact | string |
checkpoint.parent_file_hash Archive hash in case of extracted files | string |
checkpoint.parent_file_name Archive name in case of extracted files | string |
checkpoint.parent_file_uid Archive UID in case of extracted files | string |
checkpoint.similar_iocs Other IoCs similar to those related to the malicious file | strings |
checkpoint.similar_hashes Hashes found similar to the malicious file | strings |
checkpoint.similar_strings Strings found similar to the malicious file | strings |
checkpoint.similar_communication Network actions found similar to the malicious file | strings |
checkpoint.te_verdict_determined_by Emulator(s) that determined the file verdict | string |
checkpoint.packet_capture_unique_id Identifier of the packet capture files / EFR report | string |
checkpoint.total_attachments Total number of attachments in the email | pint |
checkpoint.total_logs Total number of logs in the aggregation | pint |
checkpoint.additional_info Additional info about the event (e.g., process/PID, original file/mail IDs, exclusion hints) | text_general |
checkpoint.content_risk File risk score (0 Unknown .. 5 Critical) | pint |
checkpoint.operation Operation by Threat Extraction or operation performed on the object/rule | string |
checkpoint.scrubbed_content Active or suspicious content that was found | text_general |
checkpoint.scrub_time Extraction process duration | string |
checkpoint.scrub_download_time File download time from resource | string |
checkpoint.scrub_total_time Threat extraction total file handling time | string |
checkpoint.scrub_activity Result of the extraction process | string |
checkpoint.watermark Reports whether a watermark was added to the cleaned file | string |
checkpoint.domain_name Domain name sent in DNS request | string |
checkpoint.source_object Matched object name in source column | string |
checkpoint.destination_object Matched object name in destination column | string |
checkpoint.hit Number of hits on a rule | pint |
checkpoint.rulebase_id Layer number (rulebase identifier) | pint |
checkpoint.first_hit_time First hit time in the current interval (relative/epoch as exported) | pint |
checkpoint.last_hit_time Last hit time in the current interval (relative/epoch as exported) | pint |
checkpoint.rematch_info Information when old connections cannot be matched during policy installation | text_general |
checkpoint.last_rematch_time Connection rematched time | pdate |
checkpoint.action_reason Connection drop reason or action rationale | text_general |
checkpoint.c_bytes Boolean flag (as integer) indicating whether client bytes are accounted | pint |
checkpoint.context_num Serial number of the log within a specific connection | pint |
checkpoint.alert Alert level of matched rule (Unified Policy alert) | string |
checkpoint.action Enforced action for the event (e.g., Allow/Accept/Prevent/Detect/Drop/Block/Extract) | string |
checkpoint.parent_rule Parent rule number in case of inline layer | pint |
checkpoint.match_fk Matched rule number | pint |
checkpoint.media_type Media used (audio, video, etc.) | string |
checkpoint.sip_reason Reason why source is not allowed to redirect (handover) | string |
checkpoint.voip_method VoIP request method (call/registration) | string |
checkpoint.voip_reg_user_type Registered IP-Phone type | string |
checkpoint.voip_call_id VoIP Call-ID | string |
checkpoint.voip_reg_int Registration port | pint |
checkpoint.voip_reg_ipp Registration IP protocol number | pint |
checkpoint.voip_reg_period Registration period (seconds) | pint |
checkpoint.voip_log_type VoIP log type (reject/call/registration) | string |
checkpoint.src_phone_number Source IP-Phone / phone number | string |
checkpoint.voip_from_user_type Source IP-Phone type | string |
checkpoint.dst_phone_number Destination phone number / IP-Phone | string |
checkpoint.voip_to_user_type Destination IP-Phone type | string |
checkpoint.voip_call_dir VoIP call direction (in/out) | string |
checkpoint.voip_call_state VoIP call state (in/out) | string |
checkpoint.voip_call_term_time Call termination time stamp | pdate |
checkpoint.voip_duration Call duration in seconds | pint |
checkpoint.voip_media_port Media port | string |
checkpoint.voip_media_ipp Media IP protocol | string |
checkpoint.voip_est_codec Estimated codec | string |
checkpoint.voip_exp Expiration | pint |
checkpoint.voip_attach_sz VoIP attachment size | pint |
checkpoint.voip_attach_action_info VoIP attachment action information | string |
checkpoint.voip_media_codec Estimated codec (media) | string |
checkpoint.voip_reject_reason VoIP reject reason | string |
checkpoint.voip_reason_info Additional information on VoIP reject reason | string |
checkpoint.voip_config VoIP configuration | string |
checkpoint.voip_reg_server Registrar server IP address | string |
checkpoint.scv_user Username whose packets are dropped during Secure Configuration Verification (SCV) | string |
checkpoint.scv_message_info SCV drop reason | string |
checkpoint.ppp PPP authentication status | string |
checkpoint.scheme Encryption scheme used for the log | string |
checkpoint.auth_method Password authentication protocol used (e.g., PAP or EAP) | string |
checkpoint.machine L2TP machine that triggered the log entry | string |
checkpoint.vpn_feature_name VPN feature involved in the event (e.g., L2TP, IKE, Link Selection) | string |
checkpoint.reject_category Authentication failure category or reason | string |
checkpoint.peer_ip_probing_status_update Status of peer IP responsiveness probe | string |
checkpoint.peer_ip IP address the client connects to | string |
checkpoint.peer_gateway Main IP address of the VPN peer security gateway | string |
checkpoint.link_probing_status_update Status of link responsiveness probe | string |
checkpoint.source_interface External interface name for the source side (or null if not found) | string |
checkpoint.next_hop_ip Next hop IP address chosen for routing | string |
checkpoint.srckeyid Initiator SPI identifier | string |
checkpoint.dstkeyid Responder SPI identifier | string |
checkpoint.encryption_failure Reason message indicating why encryption failed | text_general |
checkpoint.ike_ids All Quick Mode IDs associated with the exchange | string |
checkpoint.community Community name associated with the IPsec key and IKE usage | string |
checkpoint.ike IKE negotiation phase or mode (e.g., PHASE1, PHASE2) | string |
checkpoint.cookieI IKE initiator cookie | string |
checkpoint.cookieR IKE responder cookie | string |
checkpoint.msgid IKE Phase 2 message ID | string |
checkpoint.methods IPsec encryption/authentication methods used | string |
checkpoint.connection_uid MD5-based connection UID calculated from IP address and username | string |
checkpoint.site_name Name of the VPN site | string |
checkpoint.esod_rule_name Endpoint Security On Demand (ESOD) rule name | string |
checkpoint.esod_rule_action ESOD rule action taken | string |
checkpoint.esod_rule_type ESOD rule type | string |
checkpoint.esod_noncompliance_reason Reason for ESOD non-compliance | string |
checkpoint.esod_associated_policies Policies associated with ESOD evaluation | string |
checkpoint.spyware_name Detected spyware/malware name | string |
checkpoint.spyware_type Detected spyware/malware type | string |
checkpoint.anti_virus_type Virus classification or threat type | string |
checkpoint.end_user_firewall_type Endpoint firewall product/type | string |
checkpoint.esod_scan_status ESOD scan status | string |
checkpoint.esod_access_status ESOD access decision status | string |
checkpoint.client_type Client type (e.g., Endpoint Connect) | string |
checkpoint.cir Committed Information Rate in bits per second | plong |
checkpoint.cir_threshold Committed Information Rate threshold in bits per second | plong |
checkpoint.rtt Round-trip time in milliseconds | pint |
checkpoint.wire_byte_ps_in Incoming wire-mode throughput in bytes per second | plong |
checkpoint.wire_byte_ps_out Outgoing wire-mode throughput in bytes per second | plong |
checkpoint.wire_pack_ps_in Incoming wire-mode packets per second | plong |
checkpoint.wire_pack_ps_out Outgoing wire-mode packets per second | plong |
checkpoint.precise_error Detailed HTTP parser error message | text_general |
checkpoint.event_uuid Internal unique event identifier | string |
checkpoint.user_name Username (optionally domain-qualified) logged on at event time | string |
checkpoint.user_sid User security identifier (SID) at event time | string |
checkpoint.event_type Event name/type as reported by the product | string |
checkpoint.UTC UTC timestamp of the event | pdate |
checkpoint.local_time Local time on the endpoint computer at event occurrence | pdate |
checkpoint.Severity Event severity level (numeric representation of Low/Medium/High/Critical/N-A) | pint |
checkpoint.client_name Installed client product name | string |
checkpoint.client_version Version of the installed client | string |
checkpoint.installed_products List of installed endpoint blades/features | string |
checkpoint.os_name Operating system name on the source endpoint | string |
checkpoint.os_version Operating system version/build on the source endpoint | string |
checkpoint.tenant_id Unique tenant identifier (for EPMaaS) | string |
checkpoint.virtual_groups Virtual groups the client belongs to | string |
checkpoint.auth_type Authentication type (e.g., Kerberos, strong auth; device/user/both) | string |
checkpoint.action_comment Additional action commentary (e.g., block/terminate notes or policy install comments) | text_general |
checkpoint.policy_date Policy date or date of policy installation | pdate |
checkpoint.policy_type Internal policy type number indicating blade association | pint |
checkpoint.policy_guid Internal policy GUID on the server | string |
checkpoint.policy_version Policy version number | pint |
checkpoint.op_guid Push operation internal identifier | string |
checkpoint.op_type Push operation type | string |
checkpoint.op_owner Blade responsible for executing the push operation | string |
checkpoint.op_receivedTime Time the push operation was received | pdate |
checkpoint.op_scheduledTime Scheduled time for the push operation (may be 'immediate') | string |
checkpoint.op_userAction User-selected action for the push operation (OK/Cancel/Postpone) | string |
checkpoint.op_userJustification User-provided justification for postponing/canceling the operation | text_general |
checkpoint.op_status Push operation overall status | string |
checkpoint.op_statusDescription Additional push operation status details | string |
checkpoint.op_output Push operation result payload returned to the server | text_general |
checkpoint.fde_details Full Disk Encryption details (includes hostname and client version) | string |
checkpoint.fde_account User account used for FDE acquisition | string |
checkpoint.fde_account_guid Internal ID (GUID) of the FDE user account | string |
checkpoint.fde_rh_guid FDE remote help GUID | string |
checkpoint.client_status Global FDE blade status (e.g., Encrypted/Encrypting/Decrypting) | string |
checkpoint.client_status_details Current encryption progress value | pint |
checkpoint.connectivity_state Type of currently applied policy (Connected/Disconnected/Restricted) | string |
checkpoint.EventTypeFlags Internal flags separating service vs operational messages | string |
checkpoint.__policy_id_tag Internal policy identification tag | string |
checkpoint.media_description Connected media/device description | string |
checkpoint.media_manufacturer Connected media/device manufacturer | string |
checkpoint.media_encrypted Whether the inserted device is encrypted | string |
checkpoint.media_authorized Whether the inserted device is authorized (numeric flag) | pint |
checkpoint.media_class_id Windows-assigned device class identifier | string |
checkpoint.writing_data_access Write access policy decision for media operations | string |
checkpoint.reading_data_access Read access policy decision for media operations | string |
checkpoint.is_scanned Authorization scan result state | string |
checkpoint.Action Action applied by the product (e.g., Allow/Prevent/Detect/Drop/Inform) | string |
checkpoint.process Process or executable involved in the operation | string |
checkpoint.source_path Source file path involved in the operation | string |
checkpoint.destination_path Destination file path involved in the operation | string |
checkpoint.UserCheck_incident_uid UserCheck incident identifier | string |
checkpoint.is_target_encrypted_storage Whether data target is encrypted storage (numeric flag) | pint |
checkpoint.is_organization_host Whether the host is within the origin organization (numeric flag) | pint |
checkpoint.file_operation File operation performed (Read/Write/Delete/Create/Move/Copy/Burn/Offline) | string |
checkpoint.data_type Business-related classification of the data | string |
checkpoint.UserCheck Whether a UserCheck prompt was shown (numeric flag) | pint |
checkpoint.user_status UserCheck decision status (Approved/Blocked/Pending/Expired) | string |
checkpoint.portal_message Message text displayed to the user via UserCheck | text_general |
checkpoint.UserCheck_UserInput User input provided in the UserCheck dialog | text_general |
checkpoint.media_encrypted_algo Encryption algorithm used for the media | string |
checkpoint.media_size Total size of the media in bytes | plong |
checkpoint.media_encryptedbytes Size of the encrypted portion of the media in bytes | plong |
checkpoint.integrity_av_invoke_type Type of anti-malware scan invoked | string |
checkpoint.scan_level Level or depth of the scan | string |
checkpoint.scanned_drives List of drives included in the scan | string |
checkpoint.policy_number Policy version/number as reported | string |
checkpoint.sig_ver Anti-malware signatures version | string |
checkpoint.engine_ver Anti-malware engine version | string |
checkpoint.Duration Scan duration as reported | string |
checkpoint.items_scanned Number of items scanned | pint |
checkpoint.items_detected Number of items detected | pint |
checkpoint.items_treated Number of items treated (e.g., cleaned, deleted, quarantined) | pint |
checkpoint.action_details Details of action outcome (scan/infection/update statuses) | text_general |
checkpoint.infection_category Threat category (Virus/Trojan/Malware/Adware/Riskware/Unknown) | string |
checkpoint.advanced_info Internal field used for configuring exclusions | text_general |
checkpoint.failed_updates Count of failed update attempts | pint |
checkpoint.am_update_source Source URL for anti-malware updates | string |
checkpoint.am_update_proxy Whether a proxy was used for updates (and possibly proxy details) | string |
checkpoint.result Update result (Finished/Failed/Error) | string |
checkpoint.previous_infection_status Previous infection status of the computer | string |
checkpoint.current_infection_status Current infection status of the computer | string |
checkpoint.previous_untreated_infections Previous count of untreated infections | pint |
checkpoint.current_untreated_infections Current count of untreated infections | pint |
checkpoint.update_ver Signature/update version | string |
checkpoint.Quarantined_Event Outcome of quarantine restoration | string |
checkpoint.program_name Program or application name involved (Application Control context) | string |
checkpoint.service Destination service/port number | pint |
checkpoint.Direction Connection direction (Inbound/Outbound) | string |
checkpoint.src_dns_name Resolved DNS name of the source host | string |
checkpoint.dst_dns_name Resolved DNS name of the destination host | string |
checkpoint.ep_rule_id Matching rule number in the list | pint |
checkpoint.NP_status New status of Network Protection (if user can disable it) | string |
checkpoint.Dst Connection destination IP address | string |
checkpoint.treatment_mode Treatment mode (Manual/Auto/Unknown) | string |
checkpoint.old_status Previous compliance status (Compliant/Observe/Warn/Restrict) | string |
checkpoint.new_status New compliance status (Compliant/Observe/Warn/Restrict) | string |
checkpoint.remediation Remediation command name | string |
checkpoint.remediation_result Result of remediation (Succeeded/Failed) | string |
checkpoint.remediation_scope Remediation scope level (Check/Rule) | string |
checkpoint.check_name Name of the matching compliance check | string |
checkpoint.remediation_source URL of the remediation file | string |
checkpoint.remediation_file Local file path where the remediation file is saved | string |
checkpoint.run_as User context used to run the remediation (e.g., SYSTEM or current user) | string |
checkpoint.automatic_remediation Whether remediation was automatic or user-initiated | string |
checkpoint.check_type Type/category of the matching compliance check | string |
checkpoint.check_requirement Name of the matching compliance requirement | string |
checkpoint.check_details Details explaining why the check matched | string |
checkpoint.check_validations Additional details of the check validations performed | string |
checkpoint.Resource Requested resource or URL | string |
checkpoint.First_Detection Time of the first detection of the infection | pdate |
checkpoint.Last_Detection Time of the last detection of the infection | pdate |
checkpoint.Process_Username Owner username of the process that triggered the attack | string |
checkpoint.port Requested network port | pint |
checkpoint.certificates Information about the certificate chain | text_general |
checkpoint.signer Signer of the inspected executable | string |
checkpoint.machine_sid Machine security identifier | string |
checkpoint.detected_by Name of the Blade or component that triggered forensics | string |
checkpoint.attack_status Status of the attack lifecycle | string |
checkpoint.remediated_files Files that were remediated | strings |
checkpoint.impacted_files Files that were affected by the incident | strings |
checkpoint.suspicious_events Events that led to the trigger | strings |
checkpoint.incident_details Additional details from the forensics analysis | text_general |
checkpoint.incident_uid Identifier of the endpoint forensics report, if available | string |
checkpoint.extension_version Version or build number of the browser extension component | string |
checkpoint.trusted_domain Trusted domain impersonated in a phishing event | string |
checkpoint.app_package Unique identifier of the application on the protected mobile device | string |
checkpoint.app_repackaged Indicates whether the application was repackaged by an unauthorized party | boolean |
checkpoint.app_sid_id Unique SHA identifier of the mobile application | string |
checkpoint.app_version Version of the application on the protected mobile device | string |
checkpoint.developer_certificate_name Name of the developer certificate used to sign the mobile application | string |
checkpoint.cp_component_version Version of the AutoUpdater component | string |
checkpoint.cp_component_name Name of the AutoUpdater component | string |
checkpoint.system_application Name of the internal application | string |
checkpoint.package_action Package action performed | string |
checkpoint.operation_results Operation result | string |
checkpoint.administrator User who performed the operation | string |
checkpoint.fieldschanges Specific changes made on the affected object | text_general |
checkpoint.client_ip IP address of the client machine from which the change was performed | string |
checkpoint.objecttype Type of the affected object | string |
checkpoint.objectname Name of the object affected by the action | string |
checkpoint.session_name Name of the session in which the change was published | string |
checkpoint.session_description Description of the session in which the change was published | text_general |
checkpoint.triggered_by Engine or software blade that triggered the log | string |
checkpoint.type Log type | string |
checkpoint.match_table.rule_name Access Control rule name (as matched in the policy layer) | string |
checkpoint.match_table.rule_action Action taken by the matched rule in the layer (e.g., Accept, Drop) | string |
checkpoint.match_table.rule_uid Unique identifier (UID) of the matched rule | string |
checkpoint.match_table.layer_uuid UUID of the policy layer where the rule matched | string |
checkpoint.match_table.layer_name Name of the policy layer where the rule matched | string |
checkpoint.match_table.match_id Identifier of the rule match within the match table | pint |
checkpoint.i_f_dir Traffic direction relative to the logging interface | string |
checkpoint.i_f_name Name of the Security Gateway interface on which the traffic was logged | string |
checkpoint.orig Originating Security Gateway that first reported the event | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.