Trellix Endpoint Security unrestricted access protection rule violation detected

This rule is part of a beta feature. To learn more, contact Support.
trellix-endpoint-security

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Identify access protection rule violations detected by Trellix Endpoint Security that were logged but not blocked by Trellix itself. These unblocked events indicate potential security risks.

Strategy

Monitor for violations of access protection rules that were logged but not prevented. These events may highlight attempts to access unauthorized resources or sensitive data, which could require further investigation.

Triage and Response

  1. Review the details of the access protection rule violation, including the affected user or process.
  2. Analyze the event information to understand the nature of the violation and why it was not blocked.
  3. Investigate the impacted endpoint using its hostname - {{@attributes.analyzerhostname}} and IP address - {{@attributes.analyzeripv4}}.
  4. Determine if the violation poses a security risk and consider taking immediate action, such as adjusting access policies.
  5. Implement measures to strengthen access controls and monitor for any further violations.
PREVIEWING: brett.blue/embedded-collector-release