AMPExploitPrevention
ID: 100061
Description:
AMP Exploit Prevention
Repository: Group: AMP Type: event
Default Status:
Enabled
| Tags: |
|---|
| AMP |
Selector:
Query:
@source:AMP
Filters:
| Field | MUST hit |
|---|---|
| @amp.event_type | Exploit Prevention |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @amp.computer.hostname | asset | security alert |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_END_POINT | 800 | alert |
Attributes:
| Alias | Key |
|---|---|
| Severity | @amp.file.attack_details.indicators.severity |
| Hostname | @amp.computer.hostname |
| AgentID | @amp.connector_guid |
| FileName | @amp.file.file_name |
| SHA256 | @amp.file.identity.sha256 |
| FilePath | @amp.file.file_path |
| Disposition | @amp.file.disposition |
| AttackedModule | @amp.file.attack_details.attacked_module |
| MITRE_Tactic | @amp.file.attack_details.indicators.MITRE_Tactic.name |
| MITRE_Technique | @amp.file.attack_details.indicators.MITRE_Technique.name |
| Event Type | @amp.event_type |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewAsset | 10 days | @amp.connector_guid |
| Risks: | ML_NEW_ASSET |
History:
| User | Date | | :— | :— | | — | — |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)