Trellix Endpoint Security blocked web control violation detected

This rule is part of a beta feature. To learn more, contact Support.
trellix-endpoint-security

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect threats related to web control violations which are blocked by Trellix Endpoint Security.

Strategy

Monitor endpoint security events for indications of blocked web control violations. Focus on analyzing the context of the event, including the specific website or URL that was blocked, and the affected endpoints.

Triage and Response

  1. Confirm the details of the blocked web control violation, such as the restricted URL or category.
  2. Review the event details to understand the nature of the violation.
  3. Examine the impacted endpoint using its hostname - {{@attributes.analyzerhostname}} and IP address - {{@attributes.analyzeripv4}}.
  4. Ensure the web control policies are properly enforced to prevent access to restricted content in the future.
  5. Continue to monitor the affected endpoints for further violations or related anomalies.
PREVIEWING: brett.blue/embedded-collector-release