Trend Micro Vision One Endpoint Security alert: Suspicious file detected
Goal
Identify incidents where a suspicious file is detected on an endpoint.
Strategy
Monitor events for instances where a suspicious file is detected on an endpoint. This scenario suggests potential threats or unauthorized activities, indicating a need for further investigation to determine if the file poses a security risk or indicates a compromise. Correlate these events with file details such as type, path, and actions taken to assess the potential threat. Evaluate whether the suspicious file indicates unauthorized activity or is part of a broader compromise requiring immediate investigation.
Triage and Response
- Identify the affected endpoint using its name (
{{@source_host_name}}) and IP address ({{@endpoint_ip}}). - Review the file type ({{@file_type}}
) and file path ({{@file_path}}`) to understand the nature and location of the suspicious file. - Determine the action taken on the file to assess any immediate impacts or threats.
- Isolate the endpoint to prevent further potential issues related to the suspicious file.
- Remove or quarantine the suspicious file and perform a scan to ensure no additional threats are present.
