Cisco Secure Endpoint malicious activity detected in system scan

This rule is part of a beta feature. To learn more, contact Support.
cisco-secure-endpoint

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

Goal

This rule is designed to identify and flag instances of potential malicious activity detected during system scans conducted by Cisco Secure Endpoint.

Strategy

This rule monitors and reports the presence of a positive number of malicious detections identified during comprehensive system scans executed by Cisco Secure Endpoint.

Triage and response

  1. Investigate the system scan by hostname: {{@event.computer.hostname}}.
  2. Investigate more about the system scan by scan description ({{@event.scan.description}}) and number of malicious detections ({{@event.scan.malicious_detections}}).
  3. Initiate containment measures to isolate affected systems or endpoints from the network if confirmed as a security threat.
  4. Execute remediation actions, such as deploying security patches, updating antivirus definitions, or performing system scans to remove any detected malware.
  5. Take necessary and appropriate actions based on the company procedures.