Suspicious Activity Content Pack

Overview

Tracking suspicious activity in your environment can lead you to events that may be malicious and need further investigation, such as infected hosts or attackers gathering information about your environment to prepare an attack. This content pack includes components that can be used to link disparate events together into meaningful intelligence and give you a high-level overview of suspicious events for further investigation.

Content Pack Components

Views

A high-level overview of suspicious events.

  • Suspicious Activity Overview
  • Network Flow Baseline
Watchlists

Prevents authorized network vulnerability scanning devices from triggering correlation rules.

  • Recon - Network Scan Devices
Correlation Rules

Can be used to link different suspicious events together into meaningful intelligence.

  • Suspicious Activity - Internal Device Communicating with External Device over Tor Ports
  • Suspicious Activity - IRC Communication with Suspicious Host
  • Suspicious Activity - Possible WannaCry Ransomware
  • Suspicious Activity - WannaCry File Extensions
  • Suspicious Activity - Windows Backup Canceled and Deleted
  • Recon - Horizontal SMB Scan - Events or Flows

Required Products

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?

Register for Free Trial
Back to top