Endpoint Detection and Response (EDR) records network events related to Trojan.Trickybot from the IPS component of Symantec Endpoint Protection (SEP) client.

EDR creates an incident with a Description containing "Malicious Traffic Detected" and/or a Mitre Tactic containing "Command and Control"

Release : 4.5.0

Example of details from the incident shown in EDR:

app_name     E:/TOMCAT/BIN/TOMCAT7.EXE
categories     Attack, Malcode, Trojan
data_source_url_domain [REMOVED BY KB AUTHOR]
data_type     event
deepsight_domain     notavailable
description     Malicious traffic detected: System Infected: Trojan.Trickybot Activity 15
device_ip [REMOVED BY KB AUTHOR]
device_name    [REMOVED BY KB AUTHOR]
device_time     2021-06-08 20:08:00 UTC
device_uid     9a52620b-7e80-4e78-bf32-db901c24643c
domain_name     null
event_actor.pid     620
event_id     206: Intrusion detected
event_log_name     epmp_events-2021-06-08/event
event_source     1
event_uuid     39887aa0-c895-11eb-dcee-0000181b4915
external_ip  [REMOVED BY KB AUTHOR]
external_port     18,878
host_name    [REMOVED BY KB AUTHOR]
incident     32db1930-c884-11eb-c293-000000000273
incident_priority_level     HIGH
infected     true
internal_ip    [REMOVED BY KB AUTHOR]
internal_port     443
intrusion_url     http://[REMOVED BY KB AUTHOR]:443/tot43/DESKTOP-JGLLJLF_W10016299.1CF3DD28B304BBF734B33FBDF1762BBE/83/
local_host_mac     000000000000
log_time     2021-06-08 20:12:19 UTC
mitre.tactic     Command and Control
mitre.technique_id     T1071
mitre.technique_name     Standard Application Layer Protocol
network_protocol     2: TCP
on_premises     true
remote_host_mac     000000000000
severity     3: Critical
sid     32350
signature_id     32350
signature_name     System Infected: Trojan.Trickybot Activity 15
symc_device_action     2: Detected
time     2021-06-08 20:08:00 UTC
timezone     UTC
traffic_direction     2: Outbound
type_id     4124: Endpoint Detection
user_name     none

The EDR product is working as designed. 

This incident is correctly labeled as outbound traffic. This endpoint and others were trying to reach outside parties.

• The field device_ip shows which SEP endpoint detected the traffic with its IPS component.
• The field external_ip shows the other endpoint of the TCP connection.

This type of detection may either be a false positive or a Command and Control connection from the device_ip to the external_ip. In either event, Broadcom recommend further investigation by a local Security Operations Center team member.