Trellix Endpoint Security suspicious call was detected and blocked

This rule is part of a beta feature. To learn more, contact Support.
trellix-endpoint-security

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect suspicious system calls or communications that were blocked by Trellix Endpoint Security, which may indicate malicious activity.

Strategy

Monitor for blocked suspicious calls, such as unauthorized API calls, system modifications, or external communications. These events could signal potential malware or unauthorized software attempting to interact with the system or network.

Triage and Response

  1. Confirm the details of the blocked suspicious call, including the originating process or user.
  2. Review the event details to determine the nature of the suspicious call, such as whether it was an external communication or a system modification attempt.
  3. Investigate the endpoint involved by analyzing its hostname - {{@attributes.analyzerhostname}} and IP address - {{@attributes.analyzeripv4}}.
  4. If the suspicious activity is confirmed as a potential threat, take immediate steps to isolate the endpoint and perform a deeper investigation into the process or user responsible for the activity.
  5. Review and strengthen security policies to ensure further calls of this type are blocked and investigate whether similar suspicious calls have occurred on other systems
PREVIEWING: brett.blue/embedded-collector-release