A large number of MITRE incidents are being generated
book
Article ID: 189619
calendar_today
Updated On:
Products
Endpoint Detection and Response
Issue/Introduction
There are a large number of MITRE incidents being generated with the bash.virus_name of SONAR.SuspCL!g1.
Cause
The BPE signature underlying SDS signature for SONAR.SuspCL!g1 is CL.Downloader!sr13 which is a telemetry silent signature.
Resolution
As a temporary workaround SEP released a SONAR definition set which removed the silent check.
Starting with SEDR 4.4, SEDR does not create events for these telemetry signatures.
Feedback
thumb_up
Yes
thumb_down
No