This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joshua
Contributor
‎2021-10-06 04:39 AM

SmartEvent Mail Alert for Threat Emulation

Hello everybody,

is there any way to have a mail alert sent for Threat Emulation Events with High Severity that were only detected, but not prevented?
In SmartEvent, there seems to be only an option to choose Severity.
Threat_Emulation_Alert.png

I already looked at the 'Global Exclusions' filter. The description states, that it 'discards logs whose properties match the values in the filter fields. These logs will not participate in any event processing.' Since I don't want to exclude the prevented Threat Emulation incidents from my Smart Event correlations, and this page does not offer the option to exclude by action, this is no help.

Any suggestions or new insights are very welcome.


Joshua

Labels
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-10-06 06:58 AM

Did you try to define a User Defined Event for this ? On the other hand, i would never set Threat Emulation Events with High Severity to be only detected - even when an email alert is sent at the same time as the detected malware attached to an email, chance is high that your user gets infected. During the first period when TP is put into production, detect makes much sense, but later, it only takes CPU from GWs without any protection. I suggest to use prevent or disable only...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Joshua
Contributor
‎2021-10-06 07:46 AM
In response to G_W_Albrecht

I did not try a User Defined Event, but I will look into it, thanks!

There seem to be cases in which the Threat Emulation Blade does not prevent a File with Critical Severity and High Confidence Level from getting to the user, even with prevent enabled for these files. 
Having this alert allows for a quicker response time in such cases.

G_W_Albrecht
Legend Legend
Legend
‎2021-10-06 08:01 AM
In response to Joshua

I understand - i have known of such bugs, too. See sk106119: Threat Emulation blade generates a "Detect" log instead of "Prevent" log and sk114522: Threat emulation Detect log for "File exceeded size limit" when exception is set to the sp...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events