Trellix Endpoint Security blocked web control violation detected

This rule is part of a beta feature. To learn more, contact Support.
trellix-endpoint-security

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect threats related to web control violations which are blocked by Trellix Endpoint Security.

Strategy

Monitor endpoint security events for indications of blocked web control violations. Focus on analyzing the context of the event, including the specific website or URL that was blocked, and the affected endpoints.

Triage and Response

  1. Confirm the details of the blocked web control violation, such as the restricted URL or category.
  2. Review the event details to understand the nature of the violation.
  3. Examine the impacted endpoint using its hostname - {{@attributes.analyzerhostname}} and IP address - {{@attributes.analyzeripv4}}.
  4. Ensure the web control policies are properly enforced to prevent access to restricted content in the future.
  5. Continue to monitor the affected endpoints for further violations or related anomalies.
PREVIEWING: brett.blue/embedded-collector-release