cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
5
Helpful
1
Replies

Mail from AMP

Hello

 

I received this mail

 

Secure Endpoint observed the following compromise matching your subscription named Real Time Incidents.

Compromise State

Requires Attention

Hostname

 

Group

 

Operating System

Windows 10 Enterprise

Policy

 

Connector Version

7.3.15.20174

Internal IP

 

Install Date

2018-03-26 15:00:25 UTC

External IP

 

Connector GUID

 

Related Events (3 compromise events (spanning 2 minutes))

Type

DFC Threat Detected

IP

 

Date

2021-07-27 16:27:28 UTC

Type

DFC Threat Detected

IP

 

Date

2021-07-27 16:28:43 UTC

Type

DFC Threat Detected

IP

 

Date

2021-07-27 16:29:25 UTC

 

 

What could I do?

 

Thanks and regards, 

Konstantinos

1 Reply 1

If the IP is 205[.]185[.]216[.]42, it is a false positive.

 

If it were real, I'd dig into which app/process did the communication using the Trajectory.   Figure out what app it is, if it's not something that you know is good, convict it so that AMP shuts it down.  For example if its a file your user downloaded, or a fileless process started from Word or Excel... you'd kill that process and track down how it got in. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: