Cisco Secure Endpoint high number of malicious files from single host

This rule is part of a beta feature. To learn more, contact Support.
cisco-secure-endpoint

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect an unusually high number of unique malicious files from a single host.

Strategy

This rule monitors events to detect a spike in the number of malicious files from single host.

Triage and response

  1. Investigate the Host, {{@event.computer.hostname}}, in which the malicious files have been detected.
  2. Analyze the endpoint for other potentially malicious activity.
  3. Implement immediate measures to block or limit the impact of the suspicious activity if confirmed as a threat.
  4. Follow company procedures for handling malicious files, including isolating the endpoint, running antivirus/antimalware scans, analyzing logs, and updating security policies.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft