Bitdefender unusual spike found in blocked user actions on endpoint

This rule is part of a beta feature. To learn more, contact Support.
bitdefender

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detects unusual spikes found in blocked user actions on the endpoint.

Strategy

This rule monitors user control logs to detect unusual spikes in blocked user actions on endpoint.

Triage and Response

  1. Analyze the user control logs for Computer IP: {{@params.events.computer_ip}} to investigate the spike in blocked user actions on the endpoint.
  2. Review the frequency and nature of blocked access attempts (e.g., specific URLs, applications).
  3. Check if the access attempts were user-initiated or triggered by a process or application.
  4. Terminate any suspicious processes associated with blocked requests.
  5. Update user awareness training to ensure compliance with security policies.