Tracking suspicious activity in your environment can lead you to events that may be malicious and need further investigation, such as infected hosts or attackers gathering information about your environment to prepare an attack. This content pack includes components that can be used to link disparate events together into meaningful intelligence and give you a high-level overview of suspicious events for further investigation.
Content Pack Components
Views
A high-level overview of suspicious events.
- Suspicious Activity Overview
- Network Flow Baseline
Watchlists
Prevents authorized network vulnerability scanning devices from triggering correlation rules.
- Recon - Network Scan Devices
Correlation Rules
Can be used to link different suspicious events together into meaningful intelligence.
- Suspicious Activity - Internal Device Communicating with External Device over Tor Ports
- Suspicious Activity - IRC Communication with Suspicious Host
- Suspicious Activity - Possible WannaCry Ransomware
- Suspicious Activity - WannaCry File Extensions
- Suspicious Activity - Windows Backup Canceled and Deleted
- Recon - Horizontal SMB Scan - Events or Flows
Required Product
- McAfee Advanced Correlation Engine (ACE) 11.x, 10.x
- McAfee Enterprise Security Manager (ESM) 11.x, 10.x
- Some rules require McAfee Global Threat Intelligence (GTI)
Download Content Pack
Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.
Read Article