Skip to main content

Usefull Smartlog Queries

Generic Queries

ResearchSmartLog Query
Search for E-Mail Subject
Note: Search without quotation marks and wildcard works for email_subject
email_subject:*TEXT*
Application Control Proxy Logblade:"Application Control" AND appi_name:"Web Surfen" AND *part-of-hostname*
Every logs of a specific rule{ABC12345-ABC1-ABC1-ABC1-ABC123ABC12}
Security Management Log Server : when logs were not able to be sent to it"were not sent to log server"
Filter Logs by Geo-Locationsrc_country:"Germany" AND src:<ip-address>
Alert on GWtype:Alert AND origin:<fw-gwname>
FW Control Messages (Failover etc.)type:Control
ClusterXL Control Messagestype:Control ClusterXL
DHCP Messagesservice:dhcp
Address Spoofingaddress spoofing
Find aggressive aging eventsaggressive aging
Any TCP state errors listed in sk101221‌

tcp (fin OR syn) NOT "both fin" NOT "established"

In the query field, type "tcp state" (without quotes) or any relevant text (e.g., "syn_sent", "both fin")

Global Broadcastdst:255.255.255.255
HTTPS Inspection CRL or OCSP errorsblade:"HTTPS Inspection" crl OR ocsp
Certificates: any alert regarding crl (Certification Revocation List) or certificates‌ (see sk104400‌for more details)type:alert (certificate or CRL)
Potential network configuration problem messages in log - See SK63160

"Engine Settings - TCP"

IPS Bypass Messages
See discussion here: Checkmates: IPS bypass
blade:IPS NOT(actionemoticon_unhappyprevent OR block)) OR "IPS Bypass Engaged" OR "IPS Bypass Disengaged"

Threat Extraction / Emulation

ResearchSmartLog Query
Threat Extractionblade:"Threat Extraction" AND action:Extract
Threat Extraction Search for E-Mail Subjectblade:"Threat Extraction" OR blade:"Threat Emulation" AND email_subject:" TTTTT" OR email_subject:"TTTTT"
Threat Extraction show last activityblade:"Threat Extraction" AND "Content Removal" OR "Conversion to PDF"
Threat Emulation show errorsblade:"Threat Emulation" *"ended with verdict Error"*
Threat Emulation show found threatsblade:"Threat Emulation" AND severity:Critical NOT type:Correlated

Endpoint Security & Remote Access

ResearchSmartLog Query
Seeing tunnels activitiestunnel_test or action:"Key Install" or action:"Failed Log In" OR action:"Log In" OR action:"Log Out" OR action:reject OR action:Update
Connection Errorsblade:vpn AND action:Reject ( "endpoint" OR "user" OR "Office Mode" )
Errors Authenticating Users"Could not obtain user object" "IKE failure"