Welcome to the fifth article in the Check Point SandBlast Agent Management Platform solution series. Previous articles can be found by clicking on the relevant link: , , , . Today we will look at the monitoring capabilities in the Management Platform, namely working with logs, interactive dashboards (View) and reports. We will also touch on the topic of Threat Hunting to identify current threats and anomalous events on the user's machine.
Logs
The main source of information for monitoring security events is the Logs section, which displays detailed information on each incident, and also allows you to use convenient filters to refine your search criteria. For example, when right-clicking on a parameter (Blade, Action, Severity, etc.) of the log of interest, this parameter can be filtered as Filter: "Parameter" or Filter Out: "Parameter". Also, the Source option can be set to the IP Tools option, where you can ping to the given IP address/name, or run nslookup to get the source IP address by name.
In the Logs section for filtering events, there is a Statistics subsection, which displays statistics for all parameters: a time chart with the number of logs, as well as percentage indicators for each of the parameters. From this subsection, you can easily filter the logs without accessing the search string and writing filtering expressions - just select the parameters of interest and a new list of logs will immediately be displayed.
Detailed information on each log is available in the right pane of the Logs section, however, it is more convenient to open the log by double-clicking to analyze the contents. Below is an example of a log (the image is clickable), which displays detailed information on the triggering of the Prevent action of the Threat Emulation blade on an infected ".docx" file. The log has several subsections that display the details of the security event: policy and protection triggered, forensic details, client and traffic information. The reports available from the log deserve special attention - Threat Emulation Report and Forensics Report. These reports can also be opened from the SandBlast Agent client.
Threat Emulation Report
When using the Threat Emulation blade, after performing emulation in the Check Point cloud, a link appears in the corresponding log to a detailed report on the results of emulation - Threat Emulation Report. The contents of such a report are described in detail in our article on . It is worth noting that this report is interactive and allows you to “fall through” into the details of each of the sections. It is also possible to view a record of the emulation process in a virtual machine, download the original malicious file or get its hash, and also contact the Check Point Incident Response Team.
Forensics Report
For almost any security event, a Forensics Report is generated, which includes detailed information about a malicious file: its characteristics, actions, system entry point, and impact on important company assets. The structure of the report was considered in detail by us in the article about . Such a report is an important source of information when investigating security events, and if necessary, you can immediately send the contents of the report to the Check Point Incident Response Team.
Smart View
Check Point SmartView is a convenient tool for building and viewing dynamic dashboards (View) and reports in PDF format. From SmartView, you can also view user logs and audit events for administrators. The figure below shows the most useful reports and dashboards for working with SandBlast Agent.
Reports in SmartView are documents with statistical information about events for a certain period of time. Uploading reports in PDF format to the machine where SmartView is open is supported, as well as regular uploading in PDF/Excel to the administrator's email. In addition, it supports the import/export of report templates, the creation of your own reports, and the ability to hide usernames in reports. The figure below shows an example of an embedded Threat Prevention report.
Dashboards (View) in SmartView allow the administrator to access the logs for the corresponding event - just double-click on the object of interest, whether it be a chart column or the name of a malicious file. As in the case of reports, you can create your own dashboards and hide user data. Dashboards also support template import/export, regular PDF/Excel upload to admin email, and automatic data updates for real-time monitoring of security events.
Additional Monitoring Sections
A description of monitoring tools in the Management Platform would be incomplete without mentioning the Overview, Computer Management, Endpoint Settings, and Push Operations sections. These sections have been detailed in , however, it will be useful to consider their possibilities for solving monitoring problems. Let's start with Overview, which consists of two subsections - Operational Overview and Security Overview, which are dashboards with information about the status of protected user machines and security events. Just like when interacting with any other dashboard, the Operational Overview and Security Overview subsections, when double-clicking on the parameter of interest, allow you to get to the Computer Management section with the selected filter (for example, "Desktops" or "Pre-Boot Status: Enabled"), or to the Logs for a specific event. The Security Overview subsection is a dashboard "Cyber Attack View - Endpoint", which can be customized "for yourself" and set to automatically update data.
From the Computer Management section, you can monitor the state of the agent on user machines, the status of updating the Anti-Malware database, the stages of disk encryption, and much more. All data is updated automatically, and for each filter, a percentage of eligible user machines is displayed. The export of computer data in CSV format is also supported.
An important aspect of monitoring the security of workstations is setting up notifications about critical events (Alerts) and exporting logs (Export Events) for storage on the company's log server. Both settings are done in the Endpoint Settings section, and for Alerts it is possible to connect a mail server to send event notifications to the administrator and configure thresholds for triggering/disabling notifications depending on the percentage/number of devices that match the event criteria. Export events allows you to configure the transfer of logs from the Management Platform to the company's log server for further processing. SYSLOG, CEF, LEEF, SPLUNK formats, TCP/UDP protocols, any SIEM systems with a running syslog agent, TLS/SSL encryption and syslog client authentication are supported.
For in-depth analysis of events on the agent or in case of contacting technical support, you can quickly collect logs from the SandBlast Agent client using a forced operation in the Push Operations section. You can configure the transfer of the generated archive with logs to Check Point servers or corporate servers, and the archive with logs is also saved on the user machine in the C:UsersusernameCPInfo directory. It is supported to start the process of collecting logs at a specified time and the ability to postpone the operation by the user.
threat hunting
The Threat Hunting method is used to proactively search for malicious activity and anomalous behavior in the system in order to further investigate a potential security event. The Threat Hunting section in the Management Platform allows you to search for events with specified parameters in the user machine data.
The Threat Hunting tool has several preset queries, for example: to classify malicious domains or files, to track rare accesses to some IP addresses (relative to general statistics). The request structure consists of three parameters: indicator (network protocol, process ID, file type, etc.), operator (“is”, “is not”, “includes”, “one of”, etc.) and request body. Regular expressions can be used in the request body, and multiple filters can be used simultaneously in the search string.
Once a filter is selected and the request is processed, all relevant events are available, with the ability to view event details, quarantine the request object, or generate a detailed Forensics Report describing the event. At the moment, this tool is in beta version and in the future it is planned to expand the set of features, for example, adding information about the event in the form of a Miter Att&ck matrix.
Conclusion
To summarize: in this article, we examined the possibilities of monitoring security events in the SandBlast Agent Management Platform, studied a new tool for proactively searching for malicious actions and anomalies on user machines - Threat Hunting. The next article will be the final one in this cycle and in it we will consider the most common questions about the Management Platform solution and tell you about the possibilities of testing this product.
. In order not to miss the following publications on the topic of SandBlast Agent Management Platform - follow the updates in our social networks (, , , , ).
Source: habr.com