Bitdefender unusual spike found in blocked user actions on endpoint

This rule is part of a beta feature. To learn more, contact Support.
bitdefender

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects unusual spikes found in blocked user actions on the endpoint.

Strategy

This rule monitors user control logs to detect unusual spikes in blocked user actions on endpoint.

Triage and Response

  1. Analyze the user control logs for Computer IP: {{@params.events.computer_ip}} to investigate the spike in blocked user actions on the endpoint.
  2. Review the frequency and nature of blocked access attempts (e.g., specific URLs, applications).
  3. Check if the access attempts were user-initiated or triggered by a process or application.
  4. Terminate any suspicious processes associated with blocked requests.
  5. Update user awareness training to ensure compliance with security policies.