Understanding Threat Emulation logs

Document created by Thomas Werner Employee on Apr 11, 2018Last modified by Thomas Werner Employee on Aug 7, 2018
Version 3Show Document
  • View in full screen mode

In a TE log you can find additional important information how a file was processed:

 

 

In the example above "trusted source" means that this file was bypassed by the global whitelist hence it was not emulated.

 

Different values explained:

 

ValueComment
trusted sourcefile bypassed emulation due to Check Point maintained and automatically updated TE whitelist
emulatorfile was locally emulated on a SandBlast Appliance
cloud emulationfile was sent to cloud emulation
remote emulationfile was sent to a remote SandBlast Appliance for emulation (this log is usually issued by a gateway connected to a SandBlast appliance)
static analysisfile was pre-filtered by static analysis and was not emulated
local cachefile´s SHA1 was already found in cache (# tecli cache dump all) and was not emulated; action is based on the cached verdict
archivehandled file was an archive
loggerYou get "logger" for a "malicious" file as verdict decider when the file was not successfully emulated but other advisories already convitced the file as malicious

 

In depth info of e.g. static analyis, cache handling etc can be found in the amazing ATRG: Threat Emulation SK:

ATRG: Threat Emulation 

 

With this knowledge you can easily query all files that e.g. were really sent to cloud for emulation:

 

 

With SmartLogs Timeline results you can even quickly check how file amount was handled over a certain timeframe.

This is also helpful for investigating performance/throuput issues.

15 people found this helpful

Attachments

    Outcomes