topic Identify Threat Emulation Event - Details in Endpoint

Identify Threat Emulation Event - Details

CP-Shark — Wed, 28 Jun 2023 20:54:57 GMT

Hello tech´s,

I can regulary see these events:

In the details I see that the Threat Emulation is doing fine and all malicious files have been droppt.

But I am more than interested of knowing where the emulation has been initiated from to inspect this specific device deeper.
I spent already some time in that but cannot find more information on that.

Hope my case is clear.

Cheers,
Oliver

Re: Identify Threat Emulation Event - Details

Chris_Atkinson — Fri, 30 Jun 2023 00:52:51 GMT

"API Emulation" implies another system / product (e.g. Browser extension) is submitting the files for evaluation so there will likely be details there to review.

But to start I would suggest reviewing the forensic report for more information if you've not already?

In the log window, under Forensic Details refer to the Vulnerable Operating Systems row - click on the Summary link.

If the browser extension is used verify the logging options are set per:

https://support.checkpoint.com/results/sk/sk108695
https://support.checkpoint.com/results/sk/sk171179

*Note: The Log is "Detect" not "Prevent" and the reference to dropped files is not in this context hence further investigation is warranted.

Re: Identify Threat Emulation Event - Details

CP-Shark — Thu, 29 Jun 2023 08:34:45 GMT

Hello Chris,

thank you for getting in touch on this.

In the log window, under Forensic Details refer to the Vulnerable Operating Systems row - click on the Summary link.

-> I can see what happened on the emulated OS incl. the Emulation Video. but I cannot identify from which client the emulation came from.

If the browser extension is used verify the logging options are set per:

-> I´ve checked the log settings in the registry and all

Re: Identify Threat Emulation Event - Details

Chris_Atkinson — Thu, 29 Jun 2023 10:26:12 GMT

Did you check the corresponding gateway setting to receive them?

What Endpoint client version is deployed and how is it managed?

Re: Identify Threat Emulation Event - Details

CP-Shark — Thu, 29 Jun 2023 13:09:02 GMT

Could you provide more informations on your last post?

Re: Identify Threat Emulation Event - Details

Chris_Atkinson — Thu, 29 Jun 2023 13:40:18 GMT

The Endpoint solution is either cloud managed or On-Prem.

Version wise is the client E86.80 or higher?

The SK article with the logs_enabled parameter also states:

The option needs to be enabled on the Security Gateway as well, logs_api_enabled needs to be set to TRUE under /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini

For faster resolution perhaps a remote session with TAC would be helpful.

Re: Identify Threat Emulation Event - Details

CP-Shark — Thu, 29 Jun 2023 14:04:55 GMT

Hi Chris,

our entire environment is On-Prem including TE Appliance.

Version is E86.50. We have a few test clients running on E87.20 as well.

Security Gateway = TE Appliance or is that our Endpoint Management Server?

Re: Identify Threat Emulation Event - Details

Chris_Atkinson — Thu, 29 Jun 2023 14:13:00 GMT

TE appliance in this instance.

(Though obviously also worthwhile reviewing your Endpoint logs for the same time period aswell)

Re: Identify Threat Emulation Event - Details

CP-Shark — Thu, 29 Jun 2023 14:28:47 GMT

Ok, I checked the TPAPI.ini and the logs_api_enabled was set to TRUE.

Re: Identify Threat Emulation Event - Details

Chris_Atkinson — Thu, 29 Jun 2023 14:42:21 GMT

OK Good. Please contact TAC to investigate further.

Very conscious of the time spent here versus actually investigating the endpoint itself.

With respect to that element note we do have an Incident Response service you can engage where needed.