Understanding Threat Emulation logs

Document created by Thomas Werner Employee on Apr 11, 2018Last modified by Thomas Werner Employee on Apr 11, 2018
Version 2Show Document
  • View in full screen mode

In a TE log you can find additional important information how a file was processed:



In the example above "trusted source" means that this file was bypassed by the global whitelist hence it was not emulated.


Different values explained:


trusted sourcefile bypassed emulation due to Check Point maintained and automatically updated TE whitelist
emulatorfile was locally emulated on a SandBlast Appliance
cloud emulationfile was sent to cloud emulation
remote emulationfile was sent to a remote SandBlast Appliance for emulation (this log is usually issued by a gateway connected to a SandBlast appliance)
static analysisfile was pre-filtered by static analysis and was not emulated
local cachefile´s SHA1 was already found in cache (# tecli cache dump all) and was not emulated; action is based on the cached verdict
archivehandled file was an archive


In depth info of e.g. static analyis, cache handling etc can be found in the amazing ATRG: Threat Emulation SK:

ATRG: Threat Emulation 


With this knowledge you can easily query all files that e.g. were really sent to cloud for emulation:



With SmartLogs Timeline results you can even quickly check how file amount was handled over a certain timeframe.

This is also helpful for investigating performance/throuput issues.

13 people found this helpful