Trellix Endpoint Security unrestricted port blocking rule violation detected

This rule is part of a beta feature. To learn more, contact Support.
trellix-endpoint-security

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Identify port blocking rule violations detected by Trellix Endpoint Security that were logged but not blocked by Trellix itself. These unblocked may indicate potential unauthorized network access.

Strategy

Monitor for logged violations of port blocking rules that were not acted upon. These events may indicate attempts to communicate through blocked ports, which could suggest malicious activities.

Triage and Response

  1. Review the details of the port blocking rule violation, including the specific port and application involved.
  2. Analyze the event information to understand why the violation was not blocked.
  3. Investigate the impacted endpoint using its hostname - {{@attributes.analyzerhostname}} and IP address - {{@attributes.analyzeripv4}}.
  4. Assess the risk associated with the violation and determine appropriate actions, such as enhancing network security policies.
  5. Continue monitoring for similar violations to prevent unauthorized access attempts.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft