Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect events generated by Trend Micro Vision One Endpoint Security that identify a virus or malware.

Strategy

Monitor endpoint security events for virus or malware detections, analyzing the provided details to evaluate the potential impact and nature of the threat. This detection rule aims to understand the event’s context, including the affected endpoints and the specific malware or virus identified. These events could signal the presence of harmful software that might compromise the security of the endpoint, necessitating immediate action.

Triage and Response

1. Verify the type of event detected, focusing on virus or malware name - {{@malware_name}}.
2. Review the impacted endpoint, considering host name - {{@source_host_name}} and endpoint IP - {{@endpoint_ip}}.
3. If the event confirms the presence of malware or a virus, quarantine or isolate the affected endpoint from the network if necessary.
4. Continue monitoring the affected endpoint for additional suspicious activity or further threats.