search cancel

About the rule_name and atp_rule_id values in SEDR Incident and Event data

book

Article ID: 174008

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

There are two levels of detail associated with Incident data delivered through syslog and the SEDR APIv2 (This includes the Splunk connector and Qradar). This information is not viewable in the SEDR appliance web interface.

  1. Incident Level – Rule Name
  2. Event Level – ATT&CK name

For most incident types, the incident rule name is sufficient. For some, like AAT,  more context would be needed. We recommend that you use the ATT&CK labeling.

The labeling would be in the form: "mitre":{"technique_name":"Rundll32", "technique_id":"T1085", "tactic":"Defense Evasion.."}

The details related to “technique_id” -> “T1085” can be found at https://attack.mitre.org/techniques/enterprise/

Resolution

Find below an overview of different “rule name” & “atp_rule_id” values:

 

rule name

atp_rule_id

Description

Recommended Actions

Advanced Attack Technique

AdvancedAttackTechniqueIncident

Incident is created because Symantec EDR got an Advanced Attack Technique from SONAR's BPE

The action that is recommended by SONAR.

Values:

0: Unknown

1: Remediate

2: Block

Critical AVE Email Detections

AVEEmailIncident

Incident is created because Symantec EDR got one unblocked AVE email detected.

Investigate the file and other email detections associated with the sender, recipients, attached files, and websites. You might also want to consider blacklisting associated sites and remediating associated files.

Critical AVE detections

AVEIncident

Incident created because Symantec EDR got one critical AVE or LCP detection that was not blocked

You can isolate the endpoint(s), remove the file(s) and/or clean the system(s).

Breach Detection

BDSIncident

Incident is created because Symantec EDR got an incident from BDS

The incident recommended actions provided by the Breach Detection Service(BDS).

Critical Cynic Detections

CynicIncident

Incident is created because Symantec EDR got one Cynic detection.

You can isolate the endpoint(s), remove the file(s) and/or clean the system(s).

Access to C&C web site(s)

DeepsightCnCIncident

Command and Control Domain ${DEEPSIGHT_DOMAIN.EN_US} Detected

Consider blacklisting the site. In addition, you may need to investigate the source of exposure to see if further action is required.

Access to malicious web site(s)

DeepsightMaliciousIncident

Malicious Domain ${DEEPSIGHT_DOMAIN.EN_US} Detected

Consider blacklisting the site. In addition, you may need to investigate the source of the exposure to see if further action is required.

Multiple IoCs from one actor

MultiEventsFromOneActor

Multiple IoCs(Indicator of Compromise) from one actor detected

View the analysis below. Begin your incident response plan, such as determining the scope of the attack, containing the breach, eradicating infection, recovering the environment, and learning lessons to improve organizational security.

Multiple IoCs from one sha256 indicator

MultiEventsFromOneFileIoC

Multiple IoCs from one sha256 indicator detected

View the analysis below. Begin your incident response plan, such as determining the scope of the attack, containing the breach, eradicating infection, recovering the environment, and learning lessons to improve organizational security.

Multiple IoCs from same signature and url

MultiEventsFromOneNetworkIoC

Multiple IoCs from same signature and url detected

View the analysis below. Begin your incident response plan, such as determining the scope of the attack, containing the breach, eradicating infection, recovering the environment, and learning lessons to improve organizational security.

Multiple detections are from one computer

MultiEventsFromOneSourceHost

A large number of conviction events found on a source host within last one hour.

If this site is not business critical, consider adding it to the Blacklist. Otherwise, consider creating a sinkhole server in your DNS to block the site.

Unresolved Risk

MultiEventsFromOneUnresolvedRisk

Incident created because it's believed SEP identified a threat and it was not blocked

Review the SEP settings, isolate the endpoint(s), remove the file(s), and/or clean the system(s).

Multiple detections targeted to one computer

MultiEventsToOneTargetHost

A large number of conviction events found on an target machine within last one hour.

Remove any software that attempts the malicious activity.  Also, consider contacting the computer's user about browsing activity that can result in malicious downloads.

Critical NDC detections

NDCIncident

Incident is created because Symantec EDR got one critical NDC detection.

Ensure any related vulnerable software is patched. You can blacklist the site(s) or remove the file(s).

PEP detections

PEPIncident

Memory Exploit Attack detected

Symantec Endpoint Protection blocked the memory attack. However, the endpoints may still be infected. Investigate the infected endpoints. Retrieve all related recorded process or endpoint events for further investigation. Isolate the endpoints and/or clean the detection.

Anti-analysis technique

PSAttemptDetectSandbox

Suspicious PowerShell detected: anti-analysis technique used

Attackers might be attempting to detect if the process is running within a virtual environment to avoid detection by a sandbox-based malware detection engine.
Investigate the process that invoked PowerShell. Isolate and remediate affected endpoints. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.

Base64 encoded and compressed command line

PSBase64EncodedAndCompressedCommandLine

Suspicious PowerShell detected: suspicious obfuscated command executed

Attackers encode PowerShell to obfuscate and to simplify execution of complex, multi-line commands. Investigate the intent of the decoded command and the process that invoked PowerShell. A possible approach to decoding the contents is to modify the original PowerShell command line to write the contents of decoded command instead of invoking it. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.

Download and execute .DLL

PSDownloadAndExecDLL

Suspicious PowerShell detected: .dll downloaded from a remote location and executed

Investigate the process that invoked PowerShell and the contents of the .dll file that is using a decompiler. Isolate and remediate affected endpoints and delete/clean infected files. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.

Content downloaded from a remote location and executed

PSDownloadExecuteFromRemote

Suspicious PowerShell detected: content downloaded from a remote location and executed

Investigate the downloaded content and download sites. Isolate and remediate affected endpoints and delete/clean infected files if they have not been blocked already by Symantec Endpoint Protection. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.

Execution of PS script stored in registry

PSExecuteFromRegistry

Suspicious PowerShell detected: execution of PS script stored in registry

Attackers hide PowerShell scripts in the registry to achieve persistence and evade detection. Investigate the content of the PowerShell script stored in the registry. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.

Extract and store cookies

PSExtractAndStoreCookie

Suspicious PowerShell detected: extract and store cookies

Investigate the process that invoked PowerShell command and remediate, as needed. Notify the user to change account credentials across websites. Isolate and remediate affected endpoints and delete/clean infected files. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.

Execution of file-less shellcode

PSFilelessShellCode

Suspicious PowerShell detected: In-memory malware executed

In-memory execution is used by attackers to perform malicious activities without writing the malware file to disk. Investigate the shell code that is specified in the PowerShell command and the invoking process to assess the next steps for remediation. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.

Suspicious encoded PowerShell command invoked

PSHiddenModeBypassExecution

Suspicious PowerShell detected: suspicious encoded command invoked

Attackers encode PowerShell to obfuscate and to simplify execution of complex, multi-line commands.  Investigate the intent of the decoded command and the process that invoked PowerShell.  Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.

Invoke Mimikatz to attempt credential theft

PSInvokeMimikatzCredentialTheft

Malicious PowerShell detected: credential theft

Mimikatz is a tool that is used to extract system and domain credentials for hacking and penetration testing. If you suspect a breach, investigate the attacker entry points and the scope of the attack. Isolate and remediate affected endpoints. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Consider changing the user's password.

Invoke a Powersploit command

PSInvokePowersploit

Suspicious PowerShell detected: Powersploit

Powersploit is a set of PowerShell scripts that is used for hacking and penetration testing.  If you suspect a breach, investigate the attacker entry points and the scope of the attack.  Isolate and remediate affected endpoints.  Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.

Targeted Email Attack

TargetedEmailAttackIncident

Incident is created because email detection technology says that email is part of a targeted attack.

Investigate the other email detections that are associated with the sender, recipients, attached files and websites. You might also want to consider blacklisting associated sites and files.

Targeted Attack

TargetedAttackIncident

Incident is created because Cynic metadata says that file is part of a targeted attack.

You can isolate the endpoint(s), remove the file(s) and/or clean the system(s).