search cancel

Important information about Incident Rule ID 4294926711 - Trusted process attempted to run suspicious command line

book

Article ID: 190556

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

This rule consists of over 100 rules based on attempts to launch suspicious and/or malicious commands or scripts, so a high Weekly Est.  value can be misleading. You should consider this factor before you disable this Incident Rule since it will disable detections of other suspicious scripts/commands.

Resolution

For example, assume that an endpoint is under an active breach, and Rule Id 4290642353 detected an attempt to execute a suspicious PowerShell command.  After some time, another attempt was made to execute a different Powershell command, but this attempt was detected by a different rule (Rule Id 4290642301). Both of these detections are communicated to Symantec EDR as separate events but with the same rule ID (Rule Id 4294926711) and the description "Trusted process attempted to run suspicious command line". This scenario is true for execution attempt detections of over a 100 different types of script/commands.  This is why the Weekly Est. value can be especially high.   

Conversely, consider the same example above, but this time Rule Id 4290642353 is considered a true positive and Rule Id 4290642301 is considered a false positive.  Both of these appear as Rule Id 4294926711, since they were detected during attempted executions.  Disabling the "Trusted process attempted to run suspicious command line" rule (Rule Id 4294926711) prevents either detection from generating an incident.