Responding to detections (F-Secure Endpoint)

0
(0)

When sensors detect an anomaly in the customer environment, it shows up as a broad context detection in the portal.

F-Secure Elements Endpoint Detection and Response sensors collect data on behavioral events in hosts where they have been installed to detect any anomalies. For example, if Microsoft Office runs a script that launches PowerShell, sensors detect this as suspicious behavior that you can view in the portal.

New broad context detections appear in the portal and the alert recipients receive emails as soon as sensors detect them.

To respond to a detection:

    1. Log in to the portal with your email address and password.

The Home view opens.

    1. Select the Detections tab.

The Detections view contains all broad context detections that have been found.

    1. Select the broad context detection that you want to investigate from the list.

The detection view shows the following information:

The incident type
Information about the type of incident that the detection looks like.
The risk level score
The risk level score based on the confidence on how likely the attack would be to succeed, the measure of how much damage the attack could do and how critical the device if for the company that is being attacked.
The current status of the detection
  • New: A new detection that has not been confirmed to be an incident.
  • Acknowledged: The incident has been acknowledged as something that must be investigated.
  • In progress: The incident is being handled. For example, the administrators have been notified.
  • Monitoring: The incident has been handled, but it is still being monitored for any further updates.
  • Closed – Confirmed: The incident has been closed and is no longer monitored. The detection was confirmed as an incident.
  • Closed – False Positive: The incident has been closed and is no longer monitored. The detection was not malicious.
  • Closed – Unconfirmed: The incident has been closed and is no longer monitored. The detection was not confirmed to be an incident.
  • Closed – Auto False Positive: The incident has been closed automatically as false positive based on identical incidents that have been closed as false positive.
The affected company and hosts
The affected customer organization and the list of targeted hosts.
Select the organization to view the list of targeted hosts and more information about them.
Identical detections
The number of identical detections for the company during the past 30 days. Identical incidents have exactly the same activity.
Select the field to view the list of identical detections.

Note: If a broad context detection is closed as false positive, all identical incidents are marked false positive automatically.

Similar detections
The number of similar detections for the company during the past 30 days. Similar detections can help you to identify possibly related incidents even when the activity is not exactly the same. Similar incidents have a percentage score, which indicates how similar the activity has been.
Select the field to view the list of similar detections.

Tip: Use similar detections for example to identify the full scale of a targeted attack or to check what kind of a resolution similar detections had before.

    1. Analyze the broad context detection by viewing all the information about it.
        • The Summary view shows a diagram of affected hosts and processes.

      Select a host to view more details and select a process to view more information about it.

        • The Process tree view shows the events that have triggered the detection.

      Navigate the tree to view more information about each process.

      Note: The latest activity that a sensor has detected is at the top of the list.

      • Add the description of the incident to the Analysis view. Furthermore, you can select the comment icon to view and enter more comments about the incident while you analyze it. These descriptions and comments are included in reports.
      • The Log shows what has happened to the detection so far.

      Tip: You can select the pin icon to bookmark the incident and find pinned incidents later with the search.

    2. After analyzing the broad context detection, either confirm the incident or close it as a false positive.
        • If you suspect that the event you are viewing is an incident, select the current status of the incident to open the drop-down menu and change the status to Acknowledged.

      After you have confirmed an incident, contact the affected company by email to inform them about the incident and instruct them how to resolve the incident and how to work on a possible breach.

        • If you are sure that the event you are viewing is a false positive, change the current status of the incident to Closed > False positive.

      Broad context detections can be closed as Auto false positive automatically when they are identical to previously closed false alarms. For F-Secure Elements Endpoint Detection and Response to close a broad context detection as Auto false positive, the following criteria must be met:

      • Incident has to be New / Unconfirmed,
      • you must have closed an identical incident in the same organization as False positive, and
      • no identical incidents in the same organization have been Confirmed.

      Incident that was closed as Auto false positive is automatically reopened as New / Unconfirmed if it evolves further and there are no identical false positive incidents for the new form. This prevents a real incident from being accidentally hidden because it started the same way as a known false alarm.

    3. Select Response actions to choose how to handle the incident.

Recommended actions are based on the detected attack type and some actions may not be available for some attacks.

Isolate host
Isolate the host system from the network.
Inform users
Compose and send an alert email to users of the affected hosts.
Scan host
Perform a full malware scan on the affected host. After the scan has finished, the scan results are available in the scan report under device details in the Protection Service for Business portal. The scan can take several minutes to complete.

Note: The Scan host action is only available for F-Secure Elements EDR and EPP for Computers and F-Secure Elements EDR and EPP for Servers subscriptions.

Collect forensics package
Collect information from the host to investigate the incident more thoroughly. After the forensics package has been collected, it is available under Response actions for 14 days. If the host is offline or closed during the collection request, the collection starts when the host becomes active.
The forensics package includes information about device (memory and disk usage), firewall configuration, group policy settings, network settings and activities, windows properties (process listing, scheduled tasks, etc), windows event logs, and registry settings.

Note: The Collect forensics package action is only available for F-Secure Elements EDR and EPP for Computers and F-Secure Elements EDR and EPP for Servers subscriptions, and standalone F-Secure Elements EDR for Computers subscriptions for windows hosts.

The status of the event changes to In progress.

  1. After you have successfully handled the incident, close it. Select the current status of the incident to open the drop-down menu and change the status to Closed > Confirmed.

Tip: You can archive closed incidents to hide ones that are no longer relevant.

Source : Official F-Secure Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 13 times, 1 visits today)
Tagged: