Trend Micro Vision One Endpoint Security alert: Spyware or grayware detected

This rule is part of a beta feature. To learn more, contact Support.
trend-micro-vision-one-endpoint-security

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect incidents where spyware or grayware has been identified on endpoints.

Strategy

Monitor alerts from Trend Micro Vision One Endpoint Security for detections of spyware or grayware. This indicates potential privacy breaches, unwanted monitoring, or less severe but still significant threats that can compromise endpoint security and user privacy. Correlate these alerts to evaluate the scope and impact, pinpointing the affected endpoints and understanding the potential threat vectors. This helps in assessing the seriousness of the threat and planning appropriate remediation actions.

Triage and Response

  1. Identify the affected endpoint using its name ({{@source_host_name}}) and IP address ({{@endpoint_ip}}).
  2. Review the virus name ({{@virus_name}}) to understand the specific spyware or grayware detected.
  3. Isolate the affected endpoint to prevent any potential spread or further compromise.
  4. Remove or quarantine the detected spyware or grayware to mitigate risks.
  5. Perform a thorough scan on the endpoint to ensure no additional threats are present.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft