In 12.1 and older versions, if a file present on a host such as Host 1 was found malicious or suspicious after performing a YARA scan or an OPSWAT scan, an alert was triggered with YARA alert match or OPSWAT alert match respectively only in that particular host. If the same file is present on multiple hosts such as Host 2, Host 3, and Host 4, the YARA alert match or OPSWAT alert match notifications were not triggered in these hosts.
Instead, the notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious were triggered respectively on multiple hosts every time when the YARA or OPSWAT matched file activities were detected on any Hosts such as Host1, Host2, Host 3, and Host 4. As a result, it was difficult for analysts working on multiple hosts to triage other important alerts as the notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious were frequently triggered and displayed in the UI whenever some YARA or OPSWAT matched file activities were detected on any Hosts such as Host1, Host2, Host 3, and Host 4.
The notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious were triggered even on the new Hosts such as Host 5 or Host 6 whenever some YARA or OPSWAT matched file activities were detected on any Hosts such as Host1, Host2, Host 3, and Host 4.
From 12.2 or later versions, the notifications across multiple hosts are optimized. The alert YARA alert match or OPSWAT alert match is triggered across multiple hosts such as Host 1, Host 2, Host 3, and Host 4 as soon as the file present on any host such as Host 1 is found to be malicious or suspicious after performing a YARA scan or an OPSWAT scan. Later, even if the YARA or OPSWAT matched file activities are detected on any host such as Host 1, the notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious are not triggered in any of the hosts. With this enhancement, the analysts can now triage the alerts appropriately with just one notification of YARA alert match or OPSWAT alert match.
If the malicious file is present in the new host such as Host 5, the alert YARA alert match or OPSWAT alert match is triggered even in the new host as soon as the Endpoint server detects the malicious file in the new host.
To avoid triggering Process with OPSWAT reported suspicious/malicious notifications in the multiple hosts whenever some OPSWAT matched file activities were detected on a particular host, the following Endpoint App rules are deleted.
To avoid triggering Process with matched YARA rule notifications in the multiple hosts whenever some YARA matched file activities were detected on a particular host, the following Endpoint App rule is deleted.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.