EDR records a network detection from SEP endpoint
search cancel

EDR records a network detection from SEP endpoint

book

Article ID: 218151

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Endpoint Detection and Response (EDR) records network events related to Trojan.Trickybot from the IPS component of Symantec Endpoint Protection (SEP) client.

EDR creates an incident with a Description containing "Malicious Traffic Detected" and/or a Mitre Tactic containing "Command and Control"

 

Environment

Release : 4.5.0

Example of details from the incident shown in EDR:

app_name     E:/TOMCAT/BIN/TOMCAT7.EXE
categories     Attack, Malcode, Trojan
data_source_url_domain https://source.url.example.com
data_type     event
deepsight_domain     notavailable
description     Malicious traffic detected: System Infected: Trojan.Trickybot Activity 15
device_ip 192.0.2.10
device_name    <DEVICE_NAME>
device_time     2021-06-08 20:08:00 UTC
device_uid     9a52620b-7e80-4e78-bf32-db901c24643c
domain_name     null
event_actor.pid     620
event_id     206: Intrusion detected
event_log_name     epmp_events-2021-06-08/event
event_source     1
event_uuid     39887aa0-c895-11eb-dcee-0000181b4915
external_ip  192.0.2.100
external_port     18,878
host_name    <HOSTNAME>
incident     32db1930-c884-11eb-c293-000000000273
incident_priority_level     HIGH
infected     true
internal_ip    192.0.2.10
internal_port     443
intrusion_url     https://www.example.com:443/intrusion_URL
local_host_mac     000000000000
log_time     2021-06-08 20:12:19 UTC
mitre.tactic     Command and Control
mitre.technique_id     T1071
mitre.technique_name     Standard Application Layer Protocol
network_protocol     2: TCP
on_premises     true
remote_host_mac     000000000000
severity     3: Critical
sid     32350
signature_id     32350
signature_name     System Infected: Trojan.Trickybot Activity 15
symc_device_action     2: Detected
time     2021-06-08 20:08:00 UTC
timezone     UTC
traffic_direction     2: Outbound
type_id     4124: Endpoint Detection
user_name     none

 

Resolution

 

The EDR product is working as designed. 

 

This incident is correctly labeled as outbound traffic. This endpoint and others were trying to reach outside parties.

  • The field device_ip shows which SEP endpoint detected the traffic with its IPS component.
  • The field external_ip shows the other endpoint of the TCP connection.

 

This type of detection may either be a false positive or a Command and Control connection from the device_ip to the external_ip. In either event, Broadcom recommend further investigation by a local Security Operations Center team member.

 

 

Powered by Wolken Software