Delinea Privilege Manager unusual spike in bad-rated application action events from a single computer

This rule is part of a beta feature. To learn more, contact Support.
delinea-privilege-manager

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects an unusual spike in bad-rated application events from a single computer.

Strategy

This rule monitors the Delinea Privilege Manager events to detect an unusual spike in bad-rated application events from a single computer.

Triage and Response

  1. Review the logs of bad-rated application events from a computer name: {{@ComputerName}}({{@_ComputerId}}).
  2. Analyze the list of installed and executed applications.
  3. Quarantine or isolate affected systems to mitigate potential risks.
  4. Update application control policies to block the identified applications with bad security ratings.
PREVIEWING: brett.blue/embedded-collector-nav