Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CP-Shark
Collaborator

Identify Threat Emulation Event - Details

Hello tech´s,

I can regulary see these events:

Events.png

In the details I see that the Threat Emulation is doing fine and all malicious files have been droppt. 

details.png

But I am more than interested of knowing where the emulation has been initiated from to inspect this specific device deeper. 
I spent already some time in that but cannot find more information on that.

Hope my case is clear.

Cheers,
Oliver

CCES / CCSA / CCSE
0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee

"API Emulation" implies another system / product (e.g. Browser extension) is submitting the files for evaluation so there will likely be details there to review.

But to start I would suggest reviewing the forensic report for more information if you've not already?

In the log window, under Forensic Details refer to the Vulnerable Operating Systems row - click on the Summary link.

 

If the browser extension is used verify the logging options are set per:

https://support.checkpoint.com/results/sk/sk108695
https://support.checkpoint.com/results/sk/sk171179

 

*Note: The Log is "Detect" not "Prevent" and the reference to dropped files is not in this context hence further investigation is warranted.  

CCSM R77/R80/ELITE
0 Kudos
CP-Shark
Collaborator

Hello Chris,

thank you for getting in touch on this.

In the log window, under Forensic Details refer to the Vulnerable Operating Systems row - click on the Summary link.

-> I can see what happened on the emulated OS incl. the Emulation Video. but I cannot identify from which client the emulation came from.

If the browser extension is used verify the logging options are set per:

-> I´ve checked the log settings in the registry and all 

2023-06-29 10_28_24-Window.png

 

CCES / CCSA / CCSE
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Did you check the corresponding gateway setting to receive them?

What Endpoint client version is deployed and how is it managed?

CCSM R77/R80/ELITE
0 Kudos
CP-Shark
Collaborator

Could you provide more informations on your last post?

CCES / CCSA / CCSE
0 Kudos
Chris_Atkinson
Employee Employee
Employee

The Endpoint solution is either cloud managed or On-Prem.

Version wise is the client E86.80 or higher?

The SK article with the logs_enabled parameter also states:

The option needs to be enabled on the Security Gateway as well, logs_api_enabled needs to be set to TRUE under /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini

 

For faster resolution perhaps a remote session with TAC would be helpful. 

CCSM R77/R80/ELITE
0 Kudos
CP-Shark
Collaborator

Hi Chris,

our entire environment is On-Prem including TE Appliance.

Version is E86.50. We have a few test clients running on E87.20 as well.

Security Gateway = TE Appliance or is that our Endpoint Management Server?

CCES / CCSA / CCSE
0 Kudos
Chris_Atkinson
Employee Employee
Employee

TE appliance in this instance.

 

(Though obviously also worthwhile reviewing your Endpoint logs for the same time period aswell)

CCSM R77/R80/ELITE
0 Kudos
CP-Shark
Collaborator

Ok, I checked the TPAPI.ini and the logs_api_enabled was set to TRUE.

CCES / CCSA / CCSE
Chris_Atkinson
Employee Employee
Employee

OK Good. Please contact TAC to investigate further.

Very conscious of the time spent here versus actually investigating the endpoint itself.

With respect to that element note we do have an Incident Response service you can engage where needed.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events