Bitdefender unusual spike found in blocked user actions on endpoint

This rule is part of a beta feature. To learn more, contact Support.
bitdefender

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects unusual spikes found in blocked user actions on the endpoint.

Strategy

This rule monitors user control logs to detect unusual spikes in blocked user actions on endpoint.

Triage and Response

  1. Analyze the user control logs for Computer IP: {{@params.events.computer_ip}} to investigate the spike in blocked user actions on the endpoint.
  2. Review the frequency and nature of blocked access attempts (e.g., specific URLs, applications).
  3. Check if the access attempts were user-initiated or triggered by a process or application.
  4. Terminate any suspicious processes associated with blocked requests.
  5. Update user awareness training to ensure compliance with security policies.