Documentation for Advanced API Monitoring

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Documentation for Advanced API Monitoring

L2 Linker

Dear LIVE community,

 

Does anyone have any details on Advanced API monitoring? (Under Malware profile --> Global Behavioral Threat Protection Rules)

It is disabled by default and the only information we got so far was that it could help detect CVE-2023-23397.

 

Please share if you got any supporting document from Palo as I couldn't find any so far.
Cortex XDR 

AC
7 REPLIES 7

L4 Transporter

Hi @Antony_Chan, thank you for writing to Live Community.

On March 29th all XDR and XSIAM customers received an email about Advanced API Monitoring providing some additional details. Please find the content of the email below and let me know if you have any further questions.

----------

Dear customer,


A recent discovery of CVE-2023-23397, a critical vulnerability/0-day that impacts Microsoft Outlook has found that threat actors can obtain credentials without any user interaction (zero-touch).  The vulnerability, affecting all versions of Windows Outlook, was given a 9.8 CVSS rating.


BEST PRACTICE: Palo Alto Networks strongly recommends that you upgrade Outlook as soon as possible and follow Microsoft’s Security Advisory statement and MSRC’s blogpost regarding vulnerability CVE-2023-23397.


The Cortex XDR research team has investigated the above vulnerabilities, identified the exploit, and developed visibility into the exploitation attempts on endpoints running Microsoft Outlook.


Consequently, we are happy to announce that the Cortex XDR agent running on version 8.0.0 and above with content version 910-49200, together with Advanced API Monitoring enabled, will report the exploitation attempt.


To ensure you receive alerts and monitor exploitation attempts:

  • Verify that you are using Cortex XDR agent version 8.0 and above.

  • Verify that your agent is updated to content version 910-49200.

  • Enable ‘Advanced API Monitoring’ in the Malware Profile. Go to Policy Management > Profiles > Malware Profile > Global Behavioral Threat Protection Rules >Advanced API Monitoring and select - Report.

  • Restart your running outlook applications to ensure full coverage.


New behavioral threat protection rules have been added to notify you about exploitations attempts (The alert can be displayed in two forms, depending on whether you enabled ‘Informative BTP Alerts’ in the agent configuration):

 

 

Alert Name

Alert Description

Informative BTP Alerts Enabled 

CVE Exploitation - 3933073311

Outlook exploit CVE-2023-23397 variant

Informative BTP Alerts Disabled

Behavioral Threat

Behavioral threat detected (rule_id:bioc.outlook_exploit_cve-2023-23397)

* only supported for Cortex XDR Agent 8.0 and above

 

 

We are continuously working on expanding our coverage and will be providing additional information as we learn the changing threat vectors. 

 

If you have any questions, please contact our customer support team.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

L1 Bithead

Hello, I received that email as well and understand it is recommended to turn on, but we have a customer that is asking how the Advanced API Monitoring actually works and if there is an operational impact. I recommended testing in a staging environment but that doesn't answer the first question. If this involves process hooking, will a reboot of the system be required? Any other information on this is appreciated. Thank you

L0 Member

We're also curious for additional information. There is nothing in the XDR Prevent Administrator's Guide.

 

Our console has an option to Enable or Disable. However, the email regarding CVE-2023-23397, and quoted in mavraham's post, says to set Advanced API Monitoring to "report."

L0 Member

We are also curious if anybody has managed to find any documentation on this option.

L0 Member

I'm also here to understand what Advanced API Monitoring does exactly.

Me too. Waiting for more info about it. 

L4 Transporter

@Joseph_Hunter you are correct, the initial email sent to customers mentioned putting in Report Mode.
The Block/Report option is configured at the protection module level.

Advanced API Monitoring has now been added to the Admin Guide, properly reflecting the available options (enable/disable).
 

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

  • 2787 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!