05-01-2023 08:12 PM
Dear LIVE community,
Does anyone have any details on Advanced API monitoring? (Under Malware profile --> Global Behavioral Threat Protection Rules)
It is disabled by default and the only information we got so far was that it could help detect CVE-2023-23397.
Please share if you got any supporting document from Palo as I couldn't find any so far.
Cortex XDR
05-02-2023 03:31 AM - edited 05-02-2023 03:33 AM
Hi @Antony_Chan, thank you for writing to Live Community.
On March 29th all XDR and XSIAM customers received an email about Advanced API Monitoring providing some additional details. Please find the content of the email below and let me know if you have any further questions.
Dear customer,
A recent discovery of CVE-2023-23397, a critical vulnerability/0-day that impacts Microsoft Outlook has found that threat actors can obtain credentials without any user interaction (zero-touch). The vulnerability, affecting all versions of Windows Outlook, was given a 9.8 CVSS rating.
BEST PRACTICE: Palo Alto Networks strongly recommends that you upgrade Outlook as soon as possible and follow Microsoft’s Security Advisory statement and MSRC’s blogpost regarding vulnerability CVE-2023-23397.
The Cortex XDR research team has investigated the above vulnerabilities, identified the exploit, and developed visibility into the exploitation attempts on endpoints running Microsoft Outlook.
Consequently, we are happy to announce that the Cortex XDR agent running on version 8.0.0 and above with content version 910-49200, together with Advanced API Monitoring enabled, will report the exploitation attempt.
To ensure you receive alerts and monitor exploitation attempts:
Verify that you are using Cortex XDR agent version 8.0 and above.
Verify that your agent is updated to content version 910-49200.
Enable ‘Advanced API Monitoring’ in the Malware Profile. Go to Policy Management > Profiles > Malware Profile > Global Behavioral Threat Protection Rules >Advanced API Monitoring and select - Report.
Restart your running outlook applications to ensure full coverage.
New behavioral threat protection rules have been added to notify you about exploitations attempts (The alert can be displayed in two forms, depending on whether you enabled ‘Informative BTP Alerts’ in the agent configuration):
|
Alert Name |
Alert Description |
|
|
Informative BTP Alerts Enabled |
CVE Exploitation - 3933073311 |
Outlook exploit CVE-2023-23397 variant |
|
Informative BTP Alerts Disabled |
Behavioral Threat |
Behavioral threat detected (rule_id:bioc.outlook_exploit_ |
* only supported for Cortex XDR Agent 8.0 and above
We are continuously working on expanding our coverage and will be providing additional information as we learn the changing threat vectors.
If you have any questions, please contact our customer support team.
05-02-2023 09:21 AM
Hello, I received that email as well and understand it is recommended to turn on, but we have a customer that is asking how the Advanced API Monitoring actually works and if there is an operational impact. I recommended testing in a staging environment but that doesn't answer the first question. If this involves process hooking, will a reboot of the system be required? Any other information on this is appreciated. Thank you
05-17-2023 11:27 AM
We're also curious for additional information. There is nothing in the XDR Prevent Administrator's Guide.
Our console has an option to Enable or Disable. However, the email regarding CVE-2023-23397, and quoted in mavraham's post, says to set Advanced API Monitoring to "report."
05-17-2023 01:23 PM
We are also curious if anybody has managed to find any documentation on this option.
05-17-2023 10:23 PM
Me too. Waiting for more info about it.
05-18-2023 05:30 AM - edited 05-18-2023 06:38 AM
@Joseph_Hunter you are correct, the initial email sent to customers mentioned putting in Report Mode.
The Block/Report option is configured at the protection module level.
Advanced API Monitoring has now been added to the Admin Guide, properly reflecting the available options (enable/disable).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
