Supply-Chain Firewall blocked package manager command
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
This rule detects instances of Supply-Chain Firewall automatically blocking package manager commands from running.
Strategy
This rule monitors Supply-Chain Firewall’s logs for automatically blocked package manager commands (@evt.outcome:BLOCK -@warned:true). These events occur when Supply-Chain Firewall determines that running a command would result in known malware being installed.
Note that blocked commands with @warned:true correspond to user-initiated cancellations of package manager commands after being presented with warnings by Supply-Chain Firewall. These warnings are generally related to vulnerabilities, not malware, and hence have been excluded.
Triage and response
Any logs detected by this rule are for package manager commands that were blocked from running, so no incident response measures are required.
- Examine the logs to determine which package(s) caused Supply-Chain Firewall to block.
- Investigate the context in which the blocked command was executed.
- Determine whether the blocked command resulted from a false positive in Supply-Chain Firewall’s verifiers.
- This can occur, for example, when a benign package hosted internally in your enterprise has the same name as a malicious package hosted on the public registry.
- In the event of a true positive, audit other endpoints in your environment for completed installations of the packages of concern.
