Trellix Endpoint Security suspicious call was detected and blocked

This rule is part of a beta feature. To learn more, contact Support.
trellix-endpoint-security

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

Goal

Detect suspicious system calls or communications that were blocked by Trellix Endpoint Security, which may indicate malicious activity.

Strategy

Monitor for blocked suspicious calls, such as unauthorized API calls, system modifications, or external communications. These events could signal potential malware or unauthorized software attempting to interact with the system or network.

Triage and Response

  1. Confirm the details of the blocked suspicious call, including the originating process or user.
  2. Review the event details to determine the nature of the suspicious call, such as whether it was an external communication or a system modification attempt.
  3. Investigate the endpoint involved by analyzing its hostname - {{@attributes.analyzerhostname}} and IP address - {{@attributes.analyzeripv4}}.
  4. If the suspicious activity is confirmed as a potential threat, take immediate steps to isolate the endpoint and perform a deeper investigation into the process or user responsible for the activity.
  5. Review and strengthen security policies to ensure further calls of this type are blocked and investigate whether similar suspicious calls have occurred on other systems
PREVIEWING: brett.blue/embedded-collector-release