Attack event details are missing data in some fields
search cancel

Attack event details are missing data in some fields

book

Article ID: 242869

calendar_today

Updated On:

Products

Endpoint Security Complete Endpoint Threat Defense for Active Directory

Issue/Introduction

Some attack events do not have details on the connection and appear incomplete. There may be missing Destination IP, Protocol, or Source IP information.

Cause

Some events are triggered before a connection is established or after a socket has been killed, so those details are unavailable.

Resolution

  • Computer Information Gathering attack events will not report connection details, as it is not a connection detection

  • Untrusted SMB Connection attack events may not report Destination IP, Protocol, or Source IP
    When the first event in an attack is blocked, the socket is also killed. Any subsequent attempts to send data on the socket are caught and reported, even though the send fails.