cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Automatic Reaction for Threat Emulation events

Hi,

I try to create an automatic reaction (email) when a Threat Emulation event occures.

I can generate event (as I try the demo malware on theatwiki web site) but looks like it never sends email to notify the admin.

What would be the correct event definition in the SmartEvent Policy so that I can get an email notification?

kind regards

5 Replies

Re: Aomatic Reaction for Threat Emulation events

I have the same question. A customer want's to receive an email if a malicous file is detected by Threat Emulation.

I did create a automatic reaction and a custom event as we are running SmartEvent with a multi customer MDS.

The event definition is;

But when a malicious file is detected, there is no e-mail sent.

0 Kudos
Admin
Admin

Re: Aomatic Reaction for Threat Emulation events

It would be helpful to see what log entries are showing up in your gateways for events that are not triggering.

You probably only need to match on the Verdict, not on the domain or the log_id.

0 Kudos

Re: Aomatic Reaction for Threat Emulation events

Hi Dameon,

As we are running in an MDS wich has multiple cusomers connected I have to filter on Domain.

Here are some of the log entrys;

TimeBladeActionTypeInterfaceOriginSeveritySource User NameSourceDestinationProtection TypeProtection NameVulnerable OSFile NameEmail SubjectResourceDescriptionLog IDIdSequencenumDuplicatedProduct FamilyMarkerLog Server OriginOrig Log Server IpDomainLastupdatetimeLastupdateseqnumConfidence LevelRounded Sent BytesRounded BytesStoredRounded Received BytesDestination CountryIP ProtocolDestination PortMalware Rule IDScopeFile TypeFile Size (Bytes)File MD5File SHA1File Sha256VerdictAnalyzed OnSenderRecipientServiceMalicious Activity Determined ByPacket Capture Unique IdPacket CaptureCorenameDescriptionMalware Action
3/30/2018 12:47:53 PMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationMalicious archive fileSummary Report (see report for more information)1EBF4.zip PP Copyxxx4000e07d5c82-65fb-bf07-d175-8b673682584621474836471Threat@A@@B@1522360746@C@2873831xxxxxxxxx1,52241E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxzip298Bb71b0c34c5c341842ce502dd9d70bc4690a758530462cc5a3c5d93ae797ad76532c1b36df2e45cc2fc6a989b8aa9e9796a7ef6bae3f51e8bf1806705727bb0aa3e9a4023MaliciousCheck Point Threat Cloudsheri.mackley@nebraskaballoonclub.comxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: archive. {D1758B67-3682-5846-825C-7DE007BFFB65}00000000-0000-0000-0000-000000000000Packet Capturehttp://127.0.0.1:8210/solr/other_2018-03-30T00-00-00Malicious files: 29ADC7.url  Behaves like a known malware ( Generic.MALWARE.acce ) Malware detected ( Trojan.Downloader.JUED )
3/30/2018 12:15:12 PMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationMalicious archive fileSummary Report (see report for more information)4201.zip Copyxxx4000534f52b4-6d11-8385-51db-b7c53246784f21474836471Threat@A@@B@1522360746@C@2637642xxxxxxxxx1,5224E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxzip297B6f2fdc68b2945d52bf1e1f1cfa24fcb9f077b1fa8c6129e6f4dd6bfba96b37361a8b62e31f01e07642f0f1aa1ebcf6805120f02763ea52e905f4bd49119a402bf1b46752MaliciousCheck Point Threat Cloudnina.mccloy@bowmanmediaonline.comxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: archive. {51DBB7C5-3246-784F-B452-4F538583116D}00000000-0000-0000-0000-000000000000Packet Capturehttp://127.0.0.1:8210/solr/other_2018-03-30T00-00-00Malicious files: 9DFBE.url  Behaves like a known malware ( Generic.MALWARE.780c ) Malware detected ( Trojan.Downloader.JUED )
3/29/2018 7:17:25 AMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationExploited doc documentWin8.1 64b Office 2013 Adobe 11Purchase Order #2324-18-29-3.doc Quotation Request / Frecht (Thailand) Co.  Ltd.xxx400048581e89-502c-8683-226f-477f8459704821474836471Threat@A@@B@1522274347@C@546522xxxxxxxxx1,5223E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxdoc713.6KB21872ebb9ced7787a8647143004ab565c5f2a212f3349675a11669f5a73d428082b234d878bb5e4627fddb52a7120f558420890b2e42b3dfab4b0d5f92768bf987664cd3MaliciousCheck Point Threat Cloudashley.jensen@frecht.comxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: local cache. {226F477F-8459-7048-891E-584883862C50}6c453c9b-20f7-471a-956c-3198a868dc92 {226F477F-8459-7048-891E-584883862C50}00000000-0000-0000-0000-000000000000Packet Capturehttp://127.0.0.1:8210/solr/other_2018-03-29T00-00-00Behaves like a known malware ( Generic.MALWARE.1f29 ) Malicious Filesystem Activity Malicious Registry Activity Malware activity observed ( HEUR:Trojan.Script.Agent.gen ) Malware detected ( VB:Trojan.Agent.CWSP Malware signature matched ( Malicious Binary.TC.cdlf ) Unexpected Process Creation VB:Trojan.Agent.CWSP VB:Trojan.Agent.CWSP )
3/29/2018 7:17:24 AMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationExploited doc documentWin8.1 64b Office 2013 Adobe 11Profile.doc Quotation Request / Frecht (Thailand) Co.  Ltd.xxx4000f7c2be8a-bd52-aa86-5618-0978f6ba9f4121474836471Threat@A@@B@1522274347@C@546497xxxxxxxxx1,5223E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxdoc713.6KB21872ebb9ced7787a8647143004ab565c5f2a212f3349675a11669f5a73d428082b234d878bb5e4627fddb52a7120f558420890b2e42b3dfab4b0d5f92768bf987664cd3MaliciousCheck Point Threat Cloudashley.jensen@frecht.comxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: local cache. {56180978-F6BA-9F41-8ABE-C2F786AA52BD}6c453c9b-20f7-471a-956c-3198a868dc92 {56180978-F6BA-9F41-8ABE-C2F786AA52BD}00000000-0000-0000-0000-000000000000Packet Capturehttp://127.0.0.1:8210/solr/other_2018-03-29T00-00-00Behaves like a known malware ( Generic.MALWARE.1f29 ) Malicious Filesystem Activity Malicious Registry Activity Malware activity observed ( HEUR:Trojan.Script.Agent.gen ) Malware detected ( VB:Trojan.Agent.CWSP Malware signature matched ( Malicious Binary.TC.cdlf ) Unexpected Process Creation VB:Trojan.Agent.CWSP VB:Trojan.Agent.CWSP )
3/29/2018 6:21:03 AMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationExploited doc documentWin8.1 64b Office 2013 Adobe 11Purchase Order #2324-18-29-3.doc Quotation Request / Frecht (Thailand) Co.  Ltd.xxx40009dba0e99-a664-4938-49a1-4e4b7d68fb4821474836471Threat@A@@B@1522274347@C@440927xxxxxxxxx1,5223E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxdoc713.6KB21872ebb9ced7787a8647143004ab565c5f2a212f3349675a11669f5a73d428082b234d878bb5e4627fddb52a7120f558420890b2e42b3dfab4b0d5f92768bf987664cd3MaliciousCheck Point Threat Cloudashley.jensen@frecht.comxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: local cache. {49A14E4B-7D68-FB48-990E-BA9D384964A6}6c453c9b-20f7-471a-956c-3198a868dc92 {49A14E4B-7D68-FB48-990E-BA9D384964A6}00000000-0000-0000-0000-000000000000Packet Capturehttp://127.0.0.1:8210/solr/other_2018-03-29T00-00-00Behaves like a known malware ( Generic.MALWARE.1f29 ) Malicious Filesystem Activity Malicious Registry Activity Malware activity observed ( HEUR:Trojan.Script.Agent.gen ) Malware detected ( VB:Trojan.Agent.CWSP Malware signature matched ( Malicious Binary.TC.cdlf ) Unexpected Process Creation VB:Trojan.Agent.CWSP VB:Trojan.Agent.CWSP )
3/29/2018 6:18:07 AMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationExploited doc documentWin8.1 64b Office 2013 Adobe 11Profile.doc Quotation Request / Frecht (Thailand) Co.  Ltd.xxx400009ac5696-b85a-b623-63be-6f688dee5d4021474836471Threat@A@@B@1522274347@C@440895xxxxxxxxx1,5223E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxdoc713.6KB21872ebb9ced7787a8647143004ab565c5f2a212f3349675a11669f5a73d428082b234d878bb5e4627fddb52a7120f558420890b2e42b3dfab4b0d5f92768bf987664cd3MaliciousCheck Point Threat Cloudashley.jensen@frecht.comxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: cloud emulation. {63BE6F68-8DEE-5D40-9656-AC0923B65AB8}6c453c9b-20f7-471a-956c-3198a868dc92 {63BE6F68-8DEE-5D40-9656-AC0923B65AB8}00000000-0000-0000-0000-000000000000Packet Capturehttp://127.0.0.1:8210/solr/other_2018-03-29T00-00-00Behaves like a known malware ( Generic.MALWARE.1f29 ) Malicious Filesystem Activity Malicious Registry Activity Malware activity observed ( HEUR:Trojan.Script.Agent.gen ) Malware detected ( VB:Trojan.Agent.CWSP Malware signature matched ( Malicious Binary.TC.cdlf ) Unexpected Process Creation VB:Trojan.Agent.CWSP VB:Trojan.Agent.CWSP )
3/26/2018 8:38:30 AMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationExploited rtf documentWin8.1 64b Office 2013 Adobe 11Verificatieverslag-171-18-0009-NVWA-585-Verificatieverslag-Instandhouding-ELFPO-POP3 -Stoutjesdijk- (4).rtf FW: NVWAxxx40008c913eb2-cc4e-82d1-2cd5-8be7915dee4c21474836471Threat@A@@B@1522015143@C@1074940xxxxxxxxx1,52205E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxrtf12.2MB75e87f79ba69f66b57fb93441d469817fc5f4b6ffbe655b67865fde3df3cd912f327e0a3dd14b14a116b6d2f0f40e4f0dc237a15037ed0482a551766660426c45233c31eMaliciousCheck Point Threat Cloudcha.stoutjesdijk@hetnet.nlxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: local cache. {2CD58BE7-915D-EE4C-B23E-918CD1824ECC}6c453c9b-20f7-471a-956c-3198a868dc92 {2CD58BE7-915D-EE4C-B23E-918CD1824ECC}00000000-0000-0000-0000-000000000000Packet Capturehttp://127.0.0.1:8210/solr/other_2018-03-26T00-00-00Malicious Registry Activity
3/26/2018 8:38:25 AMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationExploited rtf documentWin8.1 64b Office 2013 Adobe 11Verificatieverslag-171-18-0009-NVWA-585-Verificatieverslag-Instandhouding-ELFPO-POP3 -Stoutjesdijk- (4).rtf FW: NVWAxxx4000c4b4a0af-c85f-5737-1bbf-1c3ee4191c4f21474836471Threat@A@@B@1522015143@C@1074159xxxxxxxxx1,52205E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxrtf12.2MB75e87f79ba69f66b57fb93441d469817fc5f4b6ffbe655b67865fde3df3cd912f327e0a3dd14b14a116b6d2f0f40e4f0dc237a15037ed0482a551766660426c45233c31eMaliciousCheck Point Threat Cloudcha.stoutjesdijk@hetnet.nlxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: cloud emulation. {1BBF1C3E-E419-1C4F-AFA0-B4C437575FC8}6c453c9b-20f7-471a-956c-3198a868dc92 {1BBF1C3E-E419-1C4F-AFA0-B4C437575FC8}00000000-0000-0000-0000-000000000000Packet Capturehttp://127.0.0.1:8210/solr/other_2018-03-26T00-00-00Malicious Registry Activity
3/18/2018 6:39:58 PMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationExploited rtf documentWin8.1 64b Office 2013 Adobe 11INV 001.doc Invoice Informationxxx4000a9039db6-6ede-5c04-3792-7a45bb20974c21474836471Threat@A@@B@1521327544@C@1788237xxxxxxxxx1,52139E+122147483647Low00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxrtf93.2KB6fbada941589b58f579c5fbabf7e3f809ecadee568e30b7f97bf649d1cac13b7b235f508676f26a3d9a76120dc702f16b43338c021afe81a0f113be549714b5ce647f1bdMaliciousCheck Point Threat Cloudbounces+i-dmunfr-j6dcsholzypaw2@bounces.elasticemail.netxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: cloud emulation. {37927A45-BB20-974C-B69D-03A9045CDE6E}6c453c9b-20f7-471a-956c-3198a868dc92 {37927A45-BB20-974C-B69D-03A9045CDE6E}00000000-0000-0000-0000-000000000000Packet Capture[not a shard request]File type reclassified to: rtf.[low confidence] Behaves like a known malware ( Generic.MALWARE.6b93 )
3/16/2018 7:48:11 PMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationExploited rtf documentWin8.1 64b Office 2013 Adobe 11Statements.doc Statement & Invoicesxxx40000da539a6-52af-8d93-16f4-189bb5c33d4321474836471Threat@A@@B@1521154746@C@5055484xxxxxxxxx1,52123E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxrtf375.4KB19b25ae6135b5b0fc9960783bf5f5e728eb27bd75ed10489e87fe5d6d50a75fcaafc24c81ce234e5d160d628a1b364def57c04fd75014038b504a6a91384c5f58284f7c3MaliciousCheck Point Threat Cloudanne.hameroff@livemadellc.comxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: local cache. {16F4189B-B5C3-3D43-A639-A50D938DAF52}6c453c9b-20f7-471a-956c-3198a868dc92 {16F4189B-B5C3-3D43-A639-A50D938DAF52}00000000-0000-0000-0000-000000000000Packet Capture[not a shard request]File type reclassified to: rtf.Behaves like a known malware ( Generic.MALWARE.0bbf ) Malware signature matched ( Malicious Binary.TC.ujl )
3/16/2018 7:36:55 PMThreat EmulationPreventLogxxxCriticalxxxxxxSMTP EmulationExploited rtf documentWin8.1 64b Office 2013 Adobe 11Statements.doc Statement & Invoicesxxx400070edf3b1-91eb-bc65-3d46-6c1f6e30794b21474836471Threat@A@@B@1521154746@C@5037448xxxxxxxxx1,52123E+122147483647High00TRUE0NetherlandsTCP (6)25F37A30BF-20E7-D041-AAA7-6D0A02BBF7B7xxxrtf375.4KB19b25ae6135b5b0fc9960783bf5f5e728eb27bd75ed10489e87fe5d6d50a75fcaafc24c81ce234e5d160d628a1b364def57c04fd75014038b504a6a91384c5f58284f7c3MaliciousCheck Point Threat Cloudanne.hameroff@livemadellc.comxxxsmtp (TCP/25)Win8.1 64b Office 2013 Adobe 11: cloud emulation. {3D466C1F-6E30-794B-B1F3-ED7065BCEB91}6c453c9b-20f7-471a-956c-3198a868dc92 {3D466C1F-6E30-794B-B1F3-ED7065BCEB91}00000000-0000-0000-0000-000000000000Packet Capture[not a shard request]File type reclassified to: rtf.Behaves like a known malware ( Generic.MALWARE.0bbf ) Malware signature matched ( Malicious Binary.TC.ujl )
0 Kudos
Admin
Admin

Re: Aomatic Reaction for Threat Emulation events

Perhaps instead of filtering on Domain, you can try filtering on Origin, which would correspond to a gateway in a given domain.

It's possible you may also need to engage with the TAC.

0 Kudos

Re: Aomatic Reaction for Threat Emulation events

Hi,

 

I’ll try to filter on origin and if that doesn’t help I will open a TAC case.

 

Thank you for your help so far

0 Kudos