Endpoint Protection

Make sure I understand this report before I report back to our client.

They run a daily report that shows 1 critical top target attacked by client.

It appears to show a external public IP as the system?

If so since the rest of the report says they are ok and if I am right how is the best way to explain this to them?

Or is there something they should do about that system that appears to be tring to get in?

Thanks

Mike

See picture.

That is what I thought.

If it continues to show up in new reports should they be concerned ?

Have the network guys block that address ?

Thanks for the help.

Mike

Ideally, you want to stop that exteranl address. I'd block it at the firewall if you conclude it's malicious.

The IP address 54.200.194.83 belongs to Amazon.com according to whois information (e.g. http://ip-lookup.net/index.php). Of course Amazon is not only a retailer but a web service provider (AWS). Perhaps this may be a hint for your client.

And check the Intrusion Prevention logs to find out the exact IPS signature. That can be done on the client or on the SEPM.

Well I did a whois.

And that says that is is Merck and co.?

Not sure if you have heard bad things about them?

I have not.

We did a block on the IP at the firewall.

I told the customer and he now wants to know if we have to do this everytime this happens?

I really would rather not but not sure what esle to do or tell him.

Thanks

Mike

You probably need to look into this in more detail, what type of attack was detected, was the using browsing the web? it could've just been that a website was infected or a malicious ad was trying to re-direct to another site.

Well maybe it is amazons IP ?

:)

That is where I am having issues getting better details out of Endpoint.

Is there something I am missing?

Like if you look at the screen print I sent it shows that public IP in the pie chart and the other one is a 192.168.x.x in the same pie chart with it.   And their network is a 10.x

Is there a report or something i can run to get better detail like a PC name ?

Mike

Monitors page >> Logs and select Network Threat Protection logs, log content is Attacks

Advanced settings and you can enter in that IP.

Maybe I was just not reading right.

See screen print.

The top picture shows a computer ID in the pie chart.

Is that supposed to co-inside with the external IP below in the next pie chart?

Thanks

Mike

Both of those IPs are the "attackers" although 192.168.x.x is only being flagged for port scanning. Which may be a precursor to an attack but not necessarily an attack

Sounds good.

I used logs to double check the PC name and got the user.

I have passed that information on to the company and suggested a scan with something other then Symantec to see if something if found.

Thanks for the help.

Mike