Hi all, I am i need of assistance - how should I go about investigating an incident created by the "Failed Connections" alert?
I run malware scans on the host that raised the alarm, but what can I do beyond that?
I should also mention that whenever such an incident arises, it is not accompanied by a malware alert or anything of the sort.
There are a couple of steps that I would suggest, my assumption being that the endpoint tried to connect to a malicious site.
1. Drill down into the alerts that are a part of the incident. Identify the sources and destinations, and the actions that led to the alert. If a malicious file is initiating the connections, you can block it, and retrieve it for further analysis in a sandboxed environment. Based on you analysis, you can proceed to remove the file/s based on your organizational processes. You can also proceed to investigate how the file came to be present in the host.
2. If the connection destinations are deemed malicious/suspicious, you can block them via EDLs or better still, update your firewall policies to block such connections in the event the destinations are alive in the future.
If the connections are port scans, lateral movements (wmiexec etc.), please investigate the reason for those activities as well.
I hope this gets you started off in the right direction.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!