Skip to main content

Usefull Smartlog Queries

Generic Queries

Research SmartLog Query
Search for E-Mail Subject
Note: Search without quotation marks and wildcard works for email_subject
email_subject:*TEXT*
Application Control Proxy Log blade:"Application Control" AND appi_name:"Web Surfen" AND *part-of-hostname*
Every logs of a specific rule {ABC12345-ABC1-ABC1-ABC1-ABC123ABC12}
Security Management Log Server : when logs were not able to be sent to it "were not sent to log server"
Filter Logs by Geo-Location src_country:"Germany" AND src:<ip-address>
Alert on GW type:Alert AND origin:<fw-gwname>
FW Control Messages (Failover etc.) type:Control
ClusterXL Control Messages type:Control ClusterXL
DHCP Messages service:dhcp
Address Spoofing address spoofing
Find aggressive aging events aggressive aging
Any TCP state errors listed in sk101221‌

tcp (fin OR syn) NOT "both fin" NOT "established"

In the query field, type "tcp state" (without quotes) or any relevant text (e.g., "syn_sent", "both fin")

Global Broadcast dst:255.255.255.255
HTTPS Inspection CRL or OCSP errors blade:"HTTPS Inspection" crl OR ocsp
Certificates: any alert regarding crl (Certification Revocation List) or certificates‌ (see sk104400‌for more details) type:alert (certificate or CRL)
Potential network configuration problem messages in log - See SK63160

"Engine Settings - TCP"

IPS Bypass Messages
See discussion here: Checkmates: IPS bypass
blade:IPS NOT(actionemoticon_unhappyprevent OR block)) OR "IPS Bypass Engaged" OR "IPS Bypass Disengaged"

Threat Extraction / Emulation

Research SmartLog Query
Threat Extraction blade:"Threat Extraction" AND action:Extract
Threat Extraction Search for E-Mail Subject blade:"Threat Extraction" OR blade:"Threat Emulation" AND email_subject:" TTTTT" OR email_subject:"TTTTT"
Threat Extraction show last activity blade:"Threat Extraction" AND "Content Removal" OR "Conversion to PDF"
Threat Emulation show errors blade:"Threat Emulation" *"ended with verdict Error"*
Threat Emulation show found threats blade:"Threat Emulation" AND severity:Critical NOT type:Correlated

Endpoint Security & Remote Access

Research SmartLog Query
Seeing tunnels activities tunnel_test or action:"Key Install" or action:"Failed Log In" OR action:"Log In" OR action:"Log Out" OR action:reject OR action:Update
Connection Errors blade:vpn AND action:Reject ( "endpoint" OR "user" OR "Office Mode" )
Errors Authenticating Users "Could not obtain user object" "IKE failure"