topic Re: Severity and Confidence Levels for Security Incident on Harmony Endpoint in Endpoint

Severity and Confidence Levels for Security Incident on Harmony Endpoint

TSOL — Mon, 12 Jul 2021 08:25:49 GMT

How is the severity and confidence assigned to all blades for Harmony Endpoint(Anti Malware/Anti Bot /URL Filtering/ Anti Ransomware/ Behavioral Guard / Threat Emulation / Anti Exploit/Firewall / Application Control/Compliance ).?

I found sk116254 but just regarding information of Quantum IPS /AV/AB.

And I found almost the same question in the Checkmates thread. However, the result ends with the technical team contacting the questioner.

Re: Severity and Confidence Levels for Security Incident on Harmony Endpoint

PhoneBoy — Mon, 12 Jul 2021 18:57:03 GMT

I assume you’re referring to this thread: https://community.checkpoint.com/t5/Endpoint/Severity-and-Confidence-Levels-for-Security-Incidents/m-p/106355#M3048

Like I said in that thread, the guidelines for IPS also generally apply for Harmony Endpoint.
@Guy_Avnet can we produce something similar to sk116254 but geared at Harmony Endpoint?

Re: Severity and Confidence Levels for Security Incident on Harmony Endpoint

TSOL — Tue, 13 Jul 2021 07:54:50 GMT

Thank you for your reply.
I wanted to check the URL and see the severity details.
Here's what I want to know:
For example, if severity is critical, under what conditions does it occur?

Re: Severity and Confidence Levels for Security Incident on Harmony Endpoint

PhoneBoy — Tue, 13 Jul 2021 20:04:51 GMT

Again, the guidance in sk116254 applies here.
That means the URL has something on it that generally involves remote code execution, is widely exploited, has no patch, is in wide use in Enterprises, etc.

Re: Severity and Confidence Levels for Security Incident on Harmony Endpoint

MikeB — Tue, 13 Jul 2021 20:43:51 GMT

It would be best to have an SK reference all blades/protections present in Harmony Endpoint. Many customers ask me about this and are not very convinced when I point to an SK that is focused on another product or protection not present in HE.

Re: Severity and Confidence Levels for Security Incident on Harmony Endpoint

TSOL — Mon, 26 Jul 2021 07:30:56 GMT

Thanks for your reply.
And I'm sorry for the late reply.

The SK is written "Severity is currently only set to distinguish between adware (assigned low severity) and malware (assigned medium or high severity). "
The harmony EN log also lists the severity of zero phishing blades and smart event clients.
I don't think there will be adware in the "Smart Event Client", but it will show a medium severity.
In addition, the content of events that occur with a critical severity in the "Endpoint Compliance Blade" includes signature update failures and so on.I don't think everything is malware or adware.

Is there a document explaining the severity of the harmony EN log?

Re: Severity and Confidence Levels for Security Incident on Harmony Endpoint

PhoneBoy — Mon, 26 Jul 2021 07:35:33 GMT

Specifically, no.
In general, the logs should comply with that SK, which now specifically mentions Harmony Endpoint.
There is probably a few cases where it doesn't exactly match what it says there.
For that, I recommend a TAC case.

Re: Severity and Confidence Levels for Security Incident on Harmony Endpoint

TSOL — Mon, 26 Jul 2021 07:59:03 GMT

I opened a new tack case.

Thanks for your advice.

Re: Severity and Confidence Levels for Security Incident on Harmony Endpoint

PhoneBoy — Thu, 21 Oct 2021 05:10:01 GMT

Actually, Harmony Endpoint is mentioned as one of the products in the SK now (wasn't before).
If you have specific feedback about what you feel is missing there, I recommend leaving it in the SK.