Trellix Endpoint Security unrestricted access protection rule violation detected

This rule is part of a beta feature. To learn more, contact Support.
trellix-endpoint-security

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Identify access protection rule violations detected by Trellix Endpoint Security that were logged but not blocked by Trellix itself. These unblocked events indicate potential security risks.

Strategy

Monitor for violations of access protection rules that were logged but not prevented. These events may highlight attempts to access unauthorized resources or sensitive data, which could require further investigation.

Triage and Response

  1. Review the details of the access protection rule violation, including the affected user or process.
  2. Analyze the event information to understand the nature of the violation and why it was not blocked.
  3. Investigate the impacted endpoint using its hostname - {{@attributes.analyzerhostname}} and IP address - {{@attributes.analyzeripv4}}.
  4. Determine if the violation poses a security risk and consider taking immediate action, such as adjusting access policies.
  5. Implement measures to strengthen access controls and monitor for any further violations.
PREVIEWING: brett.blue/embedded-collector-release