Hi Team,
We are using 14.0.3929 verion in our environment along with ATP version 3.1.0-678 . From the last couple of days we are getting this alert in ATP:
2018-07-18 14:21:59 UTC |
4124: Endpoint (IP/URL/Domain) Detection
|
|
|
app_name |
|
C:/PROGRAM FILES/INTERNET EXPLORER/IEXPLORE.EXE
|
categories |
|
Attack
|
data_source_url_domain |
|
|
deepsight_domain |
|
notavailable
|
description |
|
|
device_ip |
|
172.*>*>*
|
device_name |
|
hostname |
device_time |
|
2018-07-18 14:21:59 UTC
|
device_uid |
|
39c4147
|
domain_name |
|
abc |
event_desc |
|
[SID: 30529] Web Attack: Fake TechSupport Domains 2 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
|
event_id |
|
206: Intrusion detected
|
external_ip |
|
172*>*>*
|
host_name |
|
hostname |
infected |
|
false
|
intrusion_url |
|
www.bing.comwww.bing.com:443
|
local_host_mac |
|
000000000000
|
log_time |
|
2018-07-18 14:25:06 UTC
|
network_protocol |
|
2: TCP
|
remote_host_mac |
|
000000000000
|
severity |
|
3: Critical
|
sid |
|
30529
|
signature_id |
|
30529
|
signature_name |
|
Web Attack: Fake TechSupport Domains 2
|
symc_device_action |
|
1: Blocked
|
time |
|
2018-07-18 14:21:59 UTC
|
timezone |
|
UTC
|
traffic_direction |
|
1: Inbound
|
type_id |
|
4124: Endpoint (IP/URL/Domain) Detection
|
user_name |
|
60891
|
|
Could you please explain what this attack actually means? Bing.com is blocked already in this environment .
Regards,
Jagadeesh