Suspicious Activity Content Pack

Feedback

Kontakt

Overview

Tracking suspicious activity in your environment can lead you to events that may be malicious and need further investigation, such as infected hosts or attackers gathering information about your environment to prepare an attack. This content pack includes components that can be used to link disparate events together into meaningful intelligence and give you a high-level overview of suspicious events for further investigation.

Content Pack Components

Views

A high-level overview of suspicious events.

Suspicious Activity Overview
Network Flow Baseline

Watchlists

Prevents authorized network vulnerability scanning devices from triggering correlation rules.

Recon - Network Scan Devices

Correlation Rules

Can be used to link different suspicious events together into meaningful intelligence.

Suspicious Activity - Internal Device Communicating with External Device over Tor Ports
Suspicious Activity - IRC Communication with Suspicious Host
Suspicious Activity - Possible WannaCry Ransomware
Suspicious Activity - WannaCry File Extensions
Suspicious Activity - Windows Backup Canceled and Deleted
Recon - Horizontal SMB Scan - Events or Flows

Required Products

McAfee Advanced Correlation Engine (ACE) 11.x, 10.x
McAfee Enterprise Security Manager (ESM) 11.x, 10.x
Some rules require McAfee Global Threat Intelligence (GTI).

Content Pack Demo

Content packs are available directly inside the McAfee Enterprise Security Manager user interface. Watch the video to discover how to access your content pack and get started.

Watch Video

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?