Trellix Endpoint Security unrestricted access protection rule violation detected

This rule is part of a beta feature. To learn more, contact Support.
trellix-endpoint-security

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Identify access protection rule violations detected by Trellix Endpoint Security that were logged but not blocked by Trellix itself. These unblocked events indicate potential security risks.

Strategy

Monitor for violations of access protection rules that were logged but not prevented. These events may highlight attempts to access unauthorized resources or sensitive data, which could require further investigation.

Triage and Response

  1. Review the details of the access protection rule violation, including the affected user or process.
  2. Analyze the event information to understand the nature of the violation and why it was not blocked.
  3. Investigate the impacted endpoint using its hostname - {{@attributes.analyzerhostname}} and IP address - {{@attributes.analyzeripv4}}.
  4. Determine if the violation poses a security risk and consider taking immediate action, such as adjusting access policies.
  5. Implement measures to strengthen access controls and monitor for any further violations.
PREVIEWING: drodriguezhdez/add_public_docs_log_summarization