search cancel

A large number of MITRE incidents are being generated

book

Article ID: 189619

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

There are a large number of MITRE incidents being generated with the bash.virus_name of SONAR.SuspCL!g1.

Cause

The BPE signature underlying SDS signature for SONAR.SuspCL!g1 is CL.Downloader!sr13 which is a telemetry silent signature. 

Resolution

As a temporary workaround SEP released a SONAR definition set which removed the silent check. 

Starting with SEDR 4.4, SEDR does not create events for these telemetry signatures.