Cisco Secure Endpoint malicious activity detected in system scan

This rule is part of a beta feature. To learn more, contact Support.
cisco-secure-endpoint

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

Set up the cisco-secure-endpoint integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

This rule is designed to identify and flag instances of potential malicious activity detected during system scans conducted by Cisco Secure Endpoint.

Strategy

This rule monitors and reports the presence of a positive number of malicious detections identified during comprehensive system scans executed by Cisco Secure Endpoint.

Triage and response

  1. Investigate the system scan by hostname: {{@event.computer.hostname}}.
  2. Investigate more about the system scan by scan description ({{@event.scan.description}}) and number of malicious detections ({{@event.scan.malicious_detections}}).
  3. Initiate containment measures to isolate affected systems or endpoints from the network if confirmed as a security threat.
  4. Execute remediation actions, such as deploying security patches, updating antivirus definitions, or performing system scans to remove any detected malware.
  5. Take necessary and appropriate actions based on the company procedures.
PREVIEWING: may/embedded-workflows