topic Re: Documentation for Advanced API Monitoring in Cortex XDR Discussions

Documentation for Advanced API Monitoring

Antony_Chan — Tue, 02 May 2023 03:12:34 GMT

Dear LIVE community,

Does anyone have any details on Advanced API monitoring? (Under Malware profile --> Global Behavioral Threat Protection Rules)

It is disabled by default and the only information we got so far was that it could help detect CVE-2023-23397.

Please share if you got any supporting document from Palo as I couldn't find any so far.

Re: Documentation for Advanced API Monitoring

mavraham — Tue, 02 May 2023 10:33:45 GMT

Hi @Antony_Chan, thank you for writing to Live Community.

On March 29th all XDR and XSIAM customers received an email about Advanced API Monitoring providing some additional details. Please find the content of the email below and let me know if you have any further questions.

----------

Dear customer,

A recent discovery of CVE-2023-23397, a critical vulnerability/0-day that impacts Microsoft Outlook has found that threat actors can obtain credentials without any user interaction (zero-touch). The vulnerability, affecting all versions of Windows Outlook, was given a 9.8 CVSS rating.

BEST PRACTICE: Palo Alto Networks strongly recommends that you upgrade Outlook as soon as possible and follow Microsoft’s Security Advisory statement and MSRC’s blogpost regarding vulnerability CVE-2023-23397.

The Cortex XDR research team has investigated the above vulnerabilities, identified the exploit, and developed visibility into the exploitation attempts on endpoints running Microsoft Outlook.

Consequently, we are happy to announce that the Cortex XDR agent running on version 8.0.0 and above with content version 910-49200, together with Advanced API Monitoring enabled, will report the exploitation attempt.

To ensure you receive alerts and monitor exploitation attempts:

Verify that you are using Cortex XDR agent version 8.0 and above.
Verify that your agent is updated to content version 910-49200.
Enable ‘Advanced API Monitoring’ in the Malware Profile. Go to Policy Management > Profiles > Malware Profile > Global Behavioral Threat Protection Rules >Advanced API Monitoring and select - Report.
Restart your running outlook applications to ensure full coverage.

New behavioral threat protection rules have been added to notify you about exploitations attempts (The alert can be displayed in two forms, depending on whether you enabled ‘Informative BTP Alerts’ in the agent configuration):

	Alert Name	Alert Description
Informative BTP Alerts Enabled	CVE Exploitation - 3933073311	Outlook exploit CVE-2023-23397 variant
Informative BTP Alerts Disabled	Behavioral Threat	Behavioral threat detected (rule_id:bioc.outlook_exploit_cve-2023-23397)

* only supported for Cortex XDR Agent 8.0 and above

We are continuously working on expanding our coverage and will be providing additional information as we learn the changing threat vectors.

If you have any questions, please contact our customer support team.

Re: Documentation for Advanced API Monitoring

Joe_Botelho — Tue, 02 May 2023 16:21:39 GMT

Hello, I received that email as well and understand it is recommended to turn on, but we have a customer that is asking how the Advanced API Monitoring actually works and if there is an operational impact. I recommended testing in a staging environment but that doesn't answer the first question. If this involves process hooking, will a reboot of the system be required? Any other information on this is appreciated. Thank you

Re: Documentation for Advanced API Monitoring

Joseph_Hunter — Wed, 17 May 2023 18:27:39 GMT

We're also curious for additional information. There is nothing in the XDR Prevent Administrator's Guide.

Our console has an option to Enable or Disable. However, the email regarding CVE-2023-23397, and quoted in mavraham's post, says to set Advanced API Monitoring to "report."

Re: Documentation for Advanced API Monitoring

Nick_Burns — Wed, 17 May 2023 20:23:46 GMT

We are also curious if anybody has managed to find any documentation on this option.

Re: Documentation for Advanced API Monitoring

earldieta — Wed, 17 May 2023 20:37:31 GMT

I'm also here to understand what Advanced API Monitoring does exactly.

Re: Documentation for Advanced API Monitoring

IChen3 — Thu, 18 May 2023 05:23:29 GMT

Me too. Waiting for more info about it.

Re: Documentation for Advanced API Monitoring

mavraham — Thu, 18 May 2023 13:38:55 GMT

@Joseph_Hunter you are correct, the initial email sent to customers mentioned putting in Report Mode.
The Block/Report option is configured at the protection module level.

Advanced API Monitoring has now been added to the Admin Guide, properly reflecting the available options (enable/disable).