Technical Documentation
WebsiteLinkedIn
  • Technical Documentation
  • Admin Guides
    • Epiphany Intelligence Platform Administrator Guide
      • Epiphany Intelligence Platform Overview
      • Using Epiphany: A Quickstart Guide
      • Epiphany Tools
        • Dashboards
        • Path Finder
          • Path Finder Search Strings
        • Impact Matrix
        • Vulnerabilities
        • Rogue Report
          • Coverage Area
          • Host List and the Query Builder
        • Inventory
          • Active Directory
        • Tickets
          • Creating Tickets
          • Adding comments to a ticket
          • Ticket Activity
          • Closing A Ticket
          • Reveald Ticket Synchronization
          • Supported Markdown
      • Administration
        • User Management
        • Source Management
          • Site Collectors Setup
          • Cloud-Based Data Sources
            • Data Source Examples
          • On-Prem Data Sources
            • Example
      • Search and Query Guidelines
        • Search Basics
        • Query Operators
        • Complex Epiphany Queries
        • Search Keywords
      • Other Resources
    • Epiphany Validation Engine User's Guide
      • Chapter 1: Architecture of EVE
        • Endpoint
        • Platform
      • Chapter 2 : EVE Endpoint
        • Hardware Requirements
        • Operating System Requirements
        • Custom Threat Module Requirements
        • EVE Agent Requirements
          • Endpoint (physical or VM) with Golden Image.
          • Exclusion of E.V.E. paths in third-party Endpoint solutions
          • Third-party communications configuration in the EVE Platform.
          • Privileges
          • Communication between Endpoint and Platform
          • Frameworks
        • Obtaining The EVE Agent
        • The E.V.E. Agent
          • Controls
          • Notifications
          • Isolation
        • Installing the EVE Agent
          • EVE Agent Installation on Windows EndPoints
          • Validating the Installation of EVE Agent on Windows
          • EVE Agent Installation on Linux Endpoints
          • Validating the Installation of EVE Agent on Linux
          • Backup of the Virtual Machine with Golden Image
        • Updating EVE Agent
        • Uninstalling the EVE Agent
        • Troubleshooting
          • Obtaining Logs of the Agent from the cloud instance
          • Obtaining Logs locally of the EVE Agent on Windows Systems
          • Obtaining Logs locally of the EVE Agent on Linux Systems
          • Obtaining Logs of the Isolation Process
      • Chapter 3: EVE Platform
        • Logging in to the Platform for the first time
        • Navigation Tabs
          • Dashboard
          • Emulation Control
            • Endpoints
              • Endpoints Table
              • Obtaining Endpoint Details
              • Rename an Endpoint: Alias
              • Restart an Agent
              • Emulation History of an Endpoint
              • Remove a Host
              • EVE Agent
              • Download the EVE Agent
              • Download Endpoints Report
              • Windows Installer Update
              • Linux Installer Update
              • Delete an Installer Version
            • Threat Library
              • View the MITRE Matrix Related to a Sample
              • Artifacts Severity
              • Artifacts
            • Emulations
              • Scheduled Emulations
              • Emulation Results
              • Export a .xlsx Report of an Emulation
              • Export a .PDF Report of an Emulation
              • Continuous Validation
            • Custom Threats
          • System Configuration
            • Users
              • Account Types
              • 2FA
              • SSO
        • License
        • Help
        • Support
        • Users Management
        • API
    • Data Usage Guide
      • Primer: How Epiphany Works
      • Data Sources: A Deeper Dive
      • Getting Results: Data Source Outputs
      • Data Privacy and Security
    • Epiphany Security and Trust
      • Introduction
      • Program Details
      • Primary Risks
      • Our Responsibility to You
      • Your Responsibility to Yourself
      • Supplemental Information
      • Secure by Design
      • Conclusion
  • Use Cases
    • Overview
    • 6 Essential Cybersecurity Questions
    • Validate and Manage Assets and Devices in Your Environment
    • Deep Inspection and Audit of Identity Services
    • Manage Exploitability
    • Manage Business Impact
    • Effectively Manage Attack Paths to Enable Better Risk Decisions
  • Epiphany Workflows
    • Technical Analysis
      • Create an Analysis-Focused Dashboard
        • Dashboard Widgets
        • Attack Path Widgets
        • Exposure Widgets
        • Occurrence Widgets
        • Environmental Widgets
        • Administrative Widgets
        • Ticketing Widgets
        • Example Analyst Dashboard
        • Report Features in Dashboard Widgets
      • Attack Path Management
        • Analyze the Attack Path
        • Select a Remediation Recommendation
        • Track Remediation Progress
        • View Potential Exposure to Material impact
        • Tag a Node
      • Vulnerability Management
        • Search for Vulnerabilities
        • Prioritize Vulnerabilities for Remediation
      • Identity Management
        • Identify Risky Conditions in Active Directory (Kerberoastable Users and AS-REP Roastable Users)
        • Identify Risky Conditions in Active Directory (Exposed Active Directory Domain Administrators)
        • Audit High Value Groups
      • Device Management
        • Explore Device Inventory
        • Identify a Rogue System
  • Site Collectors
    • Epiphany Collector Prerequisites
    • Site Collector Guide
      • Create a Site Collector in Epiphany
      • Download a Site Collector Image
      • Generate an Activation Key and Activate Your Epiphany Site Collector
      • Windows GPO Configuration for Epiphany Collector v2.0
      • (Deprecated) Windows GPO Configuration for Epiphany Collector
  • Data Sources
    • Azure Services
      • Obtain the Tenant ID in Azure
      • Register Epiphany as an Application in Azure
      • Add Permissions to the Application - Azure AD
      • Add Permissions to the Application - Defender for Endpoint
      • Add the Azure Credentials to Epiphany
      • How Epiphany Interacts With the Azure API
      • Supplemental Information
    • Carbon Black Cloud
      • Create a Role in Carbon Black Cloud
      • Create a New Carbon Black Cloud User
      • Generate a Carbon Black Cloud API Key
      • Add the Carbon Black Cloud Credentials to Epiphany
      • Supplemental Information
    • Cisco IOS
      • Create a New Cisco IOS User
      • Add the Cisco IOS Credentials to Epiphany
      • Supplemental Information
      • Cisco IOS Manual Collection
    • Claroty
      • Create a Claroty Read-Only User
      • Add the Claroty Credentials to Epiphany
      • How Epiphany Interacts With the Claroty API
    • CrowdStrike
      • Create a CrowdStrike API Key
      • Add the CrowdStrike Credentials to Epiphany
      • How Epiphany Interacts With the CrowdStrike API
      • Supplemental Information
    • Cylance
      • Create a New Cylance User
      • Add the User's Cylance Credentials to Epiphany
      • How Epiphany Interacts With the Cylance API
      • Supplemental Information
    • Manage Engine Patch Manager Plus
      • Create a New Patch Manager Plus User
      • Create a New Patch Manager Plus API Key
      • Add the Patch Manager Plus Credentials to Epiphany
      • How Epiphany Interacts With the Patch Manager Plus API
    • NCentral
      • Create an NCentral Read-Only User and an API Key
      • Add the NCentral Credentials to Epiphany
      • How Epiphany Interacts With the NCentral API
    • Nessus
    • Qualys
      • Create a New Qualys User
      • Add the Qualys Credentials to Epiphany
      • How Epiphany Interacts With the Qualys API
      • Supplemental Information
    • Rapid7 Nexpose
      • Create a New Rapid7 Nexpose User
      • Add the User's Credentials to Epiphany
      • Deploy an Epiphany Site Collector
      • Associate the Site Collector and the Data Source
      • How Epiphany Interacts With the Rapid7 Nexpose Data Source
      • Supplemental Information
    • SentinelOne
      • Create a New Sentinel One User and Generate an API Key
      • Add the User's Sentinel One Credentials and API Key to Epiphany
      • Supplemental Information
    • Tenable
      • Create a New Tenable User
      • Tenable IO Permissions
      • Generate an API Key
      • Add the User's Credentials to Epiphany
      • Deploy a Site Collector (Tenable.sc only)
      • Associate the Site Collector and the Data Source (Tenable.sc only)
      • How Epiphany Interacts With the Tenable Data Source
      • Supplemental Information
    • Trend Micro Apex One
      • Create a Trend Micro Apex One API Key
      • Add the Trend Micro Apex One Credentials to Epiphany
      • How Epiphany Interacts With the Apex Server
      • Supplemental Information
    • Trend Micro Cloud One Deep Security
      • Create a Trend Micro Cloud One Account and API Key
      • Add the Trend Micro Cloud One Credentials to Epiphany
      • How Epiphany Interacts With the Trend Micro Cloud One API
      • Supplemental Information
    • Vicarious vRx
      • Create an API key in Vicarious vRx
      • Add the Vicarious vRx API Key to Epiphany
    • Windows AD
      • Create an AD Service Account for Epiphany
      • Create the Windows AD GPO
      • Deploy the Epiphany Site Collector
      • Add the Windows AD Credentials to the Windows AD Data Source Configuration in Epiphany
      • Supplemental Information
  • Data Sources (Early Access)
    • Armis
      • Create a New Armis User
      • Generate an Armis API Key
      • Add the Armis User's Credentials to Epiphany
      • How Epiphany Interacts With the Armis API
      • Supplemental Information
    • ArubaOS
      • Use SSH to Collect ArubaOS Network Appliance Information
      • Add the ArubaOS Credentials to Epiphany
      • ArubaOS Manual Collection
      • Supplemental Information
    • Automox
      • Create a New Automox User and a New Automox API Key
      • Add the Automox Credentials to Epiphany
      • How Epiphany Interacts with the Automox API
      • Supplemental Information
    • AWS
      • Create a New AWS User and AWS API Credentials
      • Add the AWS Credentials to Epiphany
      • How Epiphany Interacts with the AWS API
      • Supplemental Information
    • BeyondTrust
      • Create an Explicit User Account in BeyondTrust
      • Deploy an Epiphany Site Collector
      • Add the BeyondTrust Credentials to Epiphany
      • Supplemental Information
    • Bloodhound
      • Bloodhound Set Up 1
      • Bloodhound Set Up 2
      • Add the Bloodhound Credentials to Epiphany
      • How Epiphany Interacts With the Bloodhound Data Source
      • Supplemental Information
    • Cisco Meraki
      • Generate a Read-Only Meraki Account
      • Generate a Meraki API Key
      • Collect the Meraki Network Maps
      • Add the Cisco Meraki Credentials to Epiphany
      • Supplemental Information
    • FortiOS
      • Generate a FortiOS API Token
      • Add the API Token to Epiphany
      • Supplemental Information
    • HPE Comware
      • Data Collection for Epiphany
      • Supplemental Information
    • Juniper OS
      • Configure and Verify the Rest API
      • Data Collection for Epiphany
      • Supplemental Information
    • Okta
      • Okta Set Up 1
      • Okta Set Up 2
      • Add the Okta Credentials to Epiphany
      • How Epiphany Interacts With the Okta Data Source
      • Supplemental Information
    • Palo Alto PAN-OS and Panorama
      • Create a New PAN-OS or Panorama User
      • Add the Panorama or PAN-OS Credentials to Epiphany
      • Add the SSH Credentials to Epiphany
      • PAN-OS and Panorama SSH/Manual Collection
      • How Epiphany Interacts With the Palo Alto API/Console
      • Supplemental Information
    • Windows AD (Legacy Version)
      • Create the Windows AD GPO
      • Supplemental Information
    • VMware vSphere
      • Create the vSphere User Account
      • Create a Role
      • Assign Read-Only permissions to vCenter
      • Assign a User Account the Role on a single Object
      • Add vSphere as a Data Source within the Console
  • Changelog
    • 2023-08-02: Phase 1 Customer Portal
    • 2023-08-25: Epiphany Administrator Guide v1.0
    • 2023-09-14: Product Update
    • 2023-09-27: Product Update
    • 2023-10-13: Product Update
    • 2023-12-01: Product Update
  • Legal Notice
    • Terms and Conditions
    • Privacy
Powered by GitBook
On this page
  • Change Perspective
  • Reports
  • Threat File Results Summary
  • Emulation Results
  • File Level Results
  1. Admin Guides
  2. Epiphany Validation Engine User's Guide
  3. Chapter 3: EVE Platform
  4. Navigation Tabs
  5. Emulation Control
  6. Emulations

Emulation Results

PreviousScheduled EmulationsNextExport a .xlsx Report of an Emulation

Last updated 9 months ago

When the emulation is completed, the EVE agent sends the results to the Platform. The user can see the details of what happened during the emulation.

Once EVE identifies that a cyber-attack / emulation cannot be halted at the security controls level, the solution platform discloses this information along with potential remediation alternatives that it can provide for the organization’s security teams such as firewall, IDS/IPS, NDR, SIEM, EDR, AV, XDR, SOC or any other.

After the completion of the emulation, EVE provide a report detailing the obtained results and the success level of the attack simulation or emulation. The report include associated recommendations.

To view the results of an Emulation, follow the steps below:

  1. The Emulation Report section will open, which presents in detail what was seen during the emulation. In this section the user can find different elements and actions on the emulation.

Change Perspective

This mode allows the user to see the results of the emulation from an attacker's point of view.

The defense mode can be identified by the blue color in the margin of the other sections.

This mode allows the user to see the results of the emulation from the defense point of view.

Reports

EVE allows the download of direct reports in PDF format or xlsx. of the selected Emulation.

Threat File Results Summary

Displays the number of hosts that took part in the emulation, the count of Emulations performed and the emulation vector.

Four widgets display information on the percentage of successful and unsuccessful Emulations as well as the number of artifacts that were successfully and unsuccessfully executed.

Emulation Results

The results of the emulation are presented in table form in general form as: Hostname, Advanced Results, Created, Updated and Status.

File Level Results

The results of the emulation detailed by artifacts are presented in the form of a table. The information presented corresponds to:

Hostname: Name of the Endpoint that received the artifact.

  • File: Name of the Artifact sent.

  • Package: Name of the package to which the artifact belongs.

  • Start: Information about the date and time when the emulation of the device was started. If the device is stopped by a security solution and prevents emulation, Not Start will be displayed.

  • Finish: Information about the date and time when the emulation of the artifact was finished. If the artifact is stopped by some security solution and prevents emulation, Not Finish will be displayed.

  • Emulation Status: in this column will display the message Success if the artifact was executed on the Endpoint. The message Fail will show that the artifact did not run on the Endpoint.

  • Package Description. The description of the package sent in the emulation is displayed.

  • MITRE Attack Applied Describes each of the MITRE ATT&CK Tactics used in the package.

  • Attack Life Cycle Graphically shows in which phases of the life cycle of an attack the emulation package is active. This graph is merely illustrative and do not necessarily show that all the attack life cycle presented was performed.

On the Emulations "On Demand table", click on the button corresponding to the desired Emulation in the Reports column .

By default, the attack view and perspective are shown. It can be found by the red color in the margin of the other sections and by the top button is in "Attack Mode".

To switch to defense mode click on the "Attack Mode" button to change it to "Defense Mode".

Click on the button to display a window with the count of sent, with errors and successful Emulations.

Network Vector: in this column will show with the indicator if the artifact was not able to breach the network vector. The indicator states that the artifact was able to breach the network vector. To breach the network vector means that the sample was able to download on the endpoint.

Endpoint Vector: in this column will show with the indicator if the artifact was not able to breach the Endpoint vector. The indicator states that the artifact was able to breach the Endpoint vector and survived on the endpoint the default time.

Execution: in this column will show with the indicator if the artifact was not able to run on the Endpoint the default time. The indicator states that the artifact was able to execute on the Endpoint the entire default time.

C2 : will show with the indicator if the EVE Platform did not receive a callback from the artifact upon emulation. The indicator states that the EVE Platform did receive a callback from the artifact upon emulation. For more information on samples with callback functionality.

Actions. Click the Actions option to display information about the sample selected. The following information is presented: Name : Name of the sample. Start emulation: Timestamp of the emulation start. Finish emulation: Timestamp of the emulation end. Status : Complete emulation of the sample [true/false]. Callback : Configured in the sample load [true/false]. C2 : callback communication to EVE server. Interpretation of the Sample: A short description of the overall state of cybersecurity based on the emulation result. This is just based on the EVE results and should not be considered as a final state. Show emulation msg. Click on the button to obtain details on the operations EVE perform managing the samples. A successful emulation operation (without considering the results of the vectors) will this play the artifact step messages. Depending on the type of emulation, these messages will show: Phase one: Downloaded artifact. Phase two: Downloaded artifact persists. Phase three: Artifact moved to temporary folder. Phase four: Artifact moved to temporary folder persists. Phase five: Executed Artifact. Phase six: Artifact execution persists. Follow Actions: For each sample, basic resolution mitigations will be presented for each vector. These resolutions are related to the File Level Results Table meaning that only will display information about the vectors that were vulnerated from the attackers perspective or not stopped from the Defense perspective. Usually, Network and Endpoint vector will show the same resolution mitigations that include: Ø MD5, SHA1, SHA256. Ø String based YARA Rule. Ø MITRE ATT&CK Mitigations. EVE is able to display success/failure scenarios within the MITRE ATT&CK framework on a tactical and technical basis in the web interface. This has to do with the success rate of the samples based on each vector. The Techniques and sub-Techniques are mapped to the related Mitigations provided by MITRE. For more information go to: Ø Callback resolution mitigations will be presented only for zero-day samples. or the information added in this filed included on the sample load.

https://attack.mitre.org/mitigations/enterprise/
Emulation Results View