topic Sunburst Report in SmartEvent https://community.checkpoint.com/t5/SmartEvent/Sunburst-Report/m-p/106253#M12 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image1.png" style="width: 921px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9933iE6FCED14E92D2551/image-size/large?v=v2&amp;px=999" role="button" title="Image1.png" alt="Image1.png" /></span></P> <P><SPAN>***Last update - 24/12/20 - updated after a threat encountered at <A href="https://community.checkpoint.com/t5/SandBlast-Now/bd-p/sandblast-now" target="_blank" rel="noopener">CloudGuard NDR</A>. (Kudus&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1366">@Nir_Naaman</a>)</SPAN></P> <P>&nbsp;</P> <P><SPAN>In December 2020, a large-scale cyberattack targeting many organizations – predominantly tech companies, mainly in the United States, but not only there – was discovered to have been going on for several months. The attack was of a degree of sophistication that led to a quick consensus of involvement by a foreign government, and was extraordinary in both the amount of care taken in crafting it and the exotic vector of entry; instead of the usual phishing or even exploitation, the attackers carried out an elaborate supply chain attack.&nbsp;</SPAN></P> <P><SPAN>in this report you will be able to see results related to the attack if you have been affected.</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WhatsApp Image 2020-12-23 at 12.24.10.jpeg" style="width: 908px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9899i9F121120E6E62E62/image-size/large?v=v2&amp;px=999" role="button" title="WhatsApp Image 2020-12-23 at 12.24.10.jpeg" alt="WhatsApp Image 2020-12-23 at 12.24.10.jpeg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WhatsApp Image 2020-12-23 at 12.24.11.jpeg" style="width: 833px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9900i9A3B125E603CB8FD/image-size/large?v=v2&amp;px=999" role="button" title="WhatsApp Image 2020-12-23 at 12.24.11.jpeg" alt="WhatsApp Image 2020-12-23 at 12.24.11.jpeg" /></span></SPAN></P> <P><SPAN>More materials:&nbsp;</SPAN></P> <P><SPAN><A href="https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/" target="_blank" rel="noopener">https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/</A></SPAN></P> <P><SPAN><A href="https://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/" target="_blank" rel="noopener">https://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/</A></SPAN></P> <P><SPAN><A href="https://blog.checkpoint.com/2020/12/16/solarwinds-sunburst-attack-what-do-you-need-to-know/" target="_blank" rel="noopener">https://blog.checkpoint.com/2020/12/16/solarwinds-sunburst-attack-what-do-you-need-to-know/</A></SPAN></P> <P><SPAN>-------------------------------------------------------------------------------------------------</SPAN></P> <P>How to use the report:<BR />extract the file Sunburst_attack.cpr file to your desktop<BR />import the report to SmartView application (SmartConsole or Web)<BR />go to Report TAB<BR />double click on the report and define the time of query to start from 1.12.20</P> <P><SPAN>-------------------------------------------------------------------------------------------------</SPAN></P> <P>in parallel, run the following query in your smartlog:<BR />"solartrackingsystem.net" OR "virtualdataserver.com" OR "avsvmcloud.com" OR "freescanonline.com" OR "databasegalore.com" OR "digitalcollege.org" OR "incomeupdate.com" OR "deftsecurity.com" OR "highdatabase.com" OR "websitetheme.com" OR "thedoccloud.com" OR "panhardware.com" OR "avsvmcloud.com" OR "lcomputers.com" OR "zupertech.com" OR "kubecloud.com" OR "webcodez.com" OR "13.59.205.66" OR "54.193.127.66" OR "54.215.192.52" OR "34.203.203.23" OR "139.99.115.204" OR "5.252.177.25" OR "5.252.177.21" OR "204.188.205.176" OR "51.89.125.18" OR "167.114.213.199" OR "avsvmcloud.com" OR *sunburst* OR *sunburs*</P> <P><SPAN>when analyzing the logs, understand if the log was created from a research that was conducted by a SOC analyst in your network or the source of the activity is a host/server.&nbsp;&nbsp;</SPAN></P> <P><SPAN>-------------------------------------------------------------------------------------------------</SPAN></P> <P>in case you have a log related to one of the indicators OR the report resolved insights, contact Check Point Incident Response Team.</P> <P>emergency-response@checkpoint.com<BR />+1-866-923-0907</P> <P><SPAN>-------------------------------------------------------------------------------------------------</SPAN></P> <P>for more information on "how to import" the report, use the following documentations:<BR /><A href="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGuide/188029" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGuide/188029</A><BR /><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk117773" target="_blank" rel="noopener">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk117773</A></P> Sat, 29 Nov 2025 10:39:07 GMT Oren_Koren 2025-11-29T10:39:07Z Sunburst Report https://community.checkpoint.com/t5/SmartEvent/Sunburst-Report/m-p/106253#M12 200 Sat, 29 Nov 2025 10:39:07 GMT https://community.checkpoint.com/t5/SmartEvent/Sunburst-Report/m-p/106253#M12 Oren_Koren 2025-11-29T10:39:07Z