search cancel

Endpoint Security Complete reports a large number of Incidents that cannot be seen in the Incidents view

book

Article ID: 255796

calendar_today

Updated On:

Products

Endpoint Security Complete Endpoint Security

Issue/Introduction

You may received alerts from your SIEM or see a large number of Incidents on the KPI view of Endpoint Security Complete related to WMI 8015 events as the trigger. Upon further review, there can be found many Incidents closed in the state "Closed (Insufficient data)."

Environment

Cause

There was a new detection logic introduced to detect lateral movement of malware. The Incident logic is intended to keep the incident hidden, but once they are closed due to lack of sufficient data, they are visible. The Event Stream API is also reporting these Incidents when that is not expected.

Resolution

Broadcom will address this in the 2022.10.02 hotfix refresh due on December 14th. These Incidents can be safely ignored when closed with the Insufficient Data status.

Additional Information

You can add a Recorder Rule to your Endpoint Detection and Response policy with the following logic that will prevent these detections in the future:

Event Type: ETW Activity
Sha256: 2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b
Actor Command Line: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

Target Type: Source Facility
Target: Microsoft-Windows-WMI-Activity
OR
Target Type: Source Event ID
Target: 5

Example:

Attachments