Trellix Endpoint Security unrestricted port blocking rule violation detected

This rule is part of a beta feature. To learn more, contact Support.
trellix-endpoint-security

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Identify port blocking rule violations detected by Trellix Endpoint Security that were logged but not blocked by Trellix itself. These unblocked may indicate potential unauthorized network access.

Strategy

Monitor for logged violations of port blocking rules that were not acted upon. These events may indicate attempts to communicate through blocked ports, which could suggest malicious activities.

Triage and Response

  1. Review the details of the port blocking rule violation, including the specific port and application involved.
  2. Analyze the event information to understand why the violation was not blocked.
  3. Investigate the impacted endpoint using its hostname - {{@attributes.analyzerhostname}} and IP address - {{@attributes.analyzeripv4}}.
  4. Assess the risk associated with the violation and determine appropriate actions, such as enhancing network security policies.
  5. Continue monitoring for similar violations to prevent unauthorized access attempts.
PREVIEWING: brett.blue/embedded-collector-release