Link Search Menu Expand Document

AMPExploitPrevention

ID: 100061

Description:

AMP Exploit Prevention

Repository: Group: AMP Type: event

Default Status:

Enabled

Tags:
AMP
 

Selector:

Query:

@source:AMP

Filters:

Field MUST hit
@amp.event_type Exploit Prevention
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@amp.computer.hostname asset security alert

Risks:

Risks Base Score Dimension
ALERT_END_POINT 800 alert

Attributes:

Alias Key
Severity @amp.file.attack_details.indicators.severity
Hostname @amp.computer.hostname
AgentID @amp.connector_guid
FileName @amp.file.file_name
SHA256 @amp.file.identity.sha256
FilePath @amp.file.file_path
Disposition @amp.file.disposition
AttackedModule @amp.file.attack_details.attacked_module
MITRE_Tactic @amp.file.attack_details.indicators.MITRE_Tactic.name
MITRE_Technique @amp.file.attack_details.indicators.MITRE_Technique.name
Event Type @amp.event_type

Correlation Rules:

First Occurrence:

Name Window Fields
NewAsset 10 days @amp.connector_guid
  Risks: ML_NEW_ASSET

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)