This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dale_Lobb
Advisor
‎2022-03-14 01:35 PM

Log differences depending on access search method

  Has anyone noticed anything like this?

  One of our Security Engineers was tooling though SmartEvent dashboards and found what appears to be security events around allowed emails that were found to contain malicious attachments.   Drilling down into the dashboard shows AV logs that are Action:Detect for High Severity, High Confidence events.  However, performing a regular log search of the AV blade for the same criteria (High Severity/High Confidence,same time frame) shows those exact same events to be Action:Prevent.

 

 

Preview file
113 KB
Preview file
115 KB
Preview file
135 KB
0 Kudos
2 Replies
Dale_Lobb
Advisor
‎2022-03-14 01:54 PM

Here are a couple of log events in detail.  These were chosen as corresponding logs for time stamp and other matching details, some of which are redacted,

Log event from SmartEvent dashboard drill down:

Time: 2022-03-11T20:22:20Z
Interface Direction: inbound
Interface Name: MTA
Id: fee8f7a6-ad01-e46b-f47d-455581020742
Sequencenum: 1087
Triggered By: MTA
Original Queue ID: 4KFcmS4QNpzMr92B
Log ID: 0
Threat Prevention Rule Id:F3685820-E4AF-48C4-A3FA-1537601C733C
Severity: High
Confidence Level: High
Malware Action: Malicious file/exploit download
Protection Type: Signature
Verdict: Malicious
Risk: 100
Source: <redacted>
Destination Country: United States
Destination: <redacted>
IP Protocol: 6
Destination Port: 25
Sender: <redacted>
Recipient: <redacted>
Email Subject: MAC March Lunch and Learn
Email Recipients Number: 1
Scan Result: Malicious
Protection Name: AdRedirector
Action: Detect                                             <==========
Type: Log
Blade: Anti-Virus
Origin: athos
Service: TCP/25
Product Family: Threat
Resource: http://myprounouns.org
Marker: @A@@B@1647029171@C@1973507
Log Server Origin: <redacted>
Orig Log Server Ip: <redacted>
Duplicated: 1
Index Time: 2022-03-11T20:22:21Z
Lastupdatetime: 1647030140000
Lastupdateseqnum: 1087
Rounded Sent Bytes: 0
Rounded Bytes: 0
Stored: true
Rounded Received Bytes: 0
Interface: MTA
Description: <redacted> sent a malicious mail containing a malicious file to <redacted> that was detected

 

Log event from log search

Id: fee8f7a6-ad01-e46b-f47d-455581020742
Marker: @A@@B@1647029171@C@2001680
Log Server Origin: <redacted>
Time: 2022-03-11T20:22:20Z
Interface Direction: inbound
Interface Name: MTA
Id Generated By Indexer: false
First: false
Sequencenum: 1654
Triggered By: MTA
Original Queue ID: 4KFcmS4QNpzMr92B
Log ID: 0
Threat Prevention Rule Id:F3685820-E4AF-48C4-A3FA-1537601C733C
Severity: High
Confidence Level: High
Malware Action: Malicious file/exploit download
Protection Type: Signature
Verdict: Malicious
Risk: 100
Source: <redacted>
Destination: <redacted>
IP Protocol: 6
Destination Port: 25
Sender: <redacted>
Recipient: <redacted>
Email Subject: MAC March Lunch and Learn
Email Recipients Number: 1
Scan Result: Malicious
Protection Name: AdRedirector
Last Update Time: 2022-03-11T20:22:34Z
Action: Prevent                                                        <============
Type: Log
Blade: Anti-Virus
Origin: athos
Service: TCP/25
Product Family: Threat
Resource: http://myprounouns.org
Interface: MTA
Description: <redacted> sent a malicious mail containing a malicious file to <redacted> that was prevented

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-14 02:26 PM
In response to Dale_Lobb

Might be worth a TAC case

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events