Attack event details are missing data in some fields
searchcancel
Attack event details are missing data in some fields
book
Article ID: 242869
calendar_today
Updated On: 02-28-2023
Products
Endpoint Security CompleteEndpoint Threat Defense for Active Directory
Issue/Introduction
Some attack events do not have details on the connection and appear incomplete. There may be missing Destination IP, Protocol, or Source IP information.
Cause
Some events are triggered before a connection is established or after a socket has been killed, so those details are unavailable.
Resolution
Computer Information Gathering attack events will not report connection details, as it is not a connection detection
Untrusted SMB Connection attack events may not report Destination IP, Protocol, or Source IP When the first event in an attack is blocked, the socket is also killed. Any subsequent attempts to send data on the socket are caught and reported, even though the send fails.