02-26-2024 11:20 PM
Today we see a lot of Threat detections that detect TinyTurlaV2 Service Created.
I just wonder if this has something to do with the False Positive Detections on Behaviorla Protection that Cisco annonsed yeasterday evening. It looks like this detections started at the same time so therefore my question.
Also found this question on TinyTurlaV2 Service : r/DefenderATP (reddit.com)
Solved! Go to Solution.
02-27-2024 07:39 AM
I received an alert 2024-02-2617:21UTC for the System Restore Disabled by Registry. After that nothing. Thought I was missing something with my alerts.
02-27-2024 07:50 AM
02-27-2024 08:54 AM
@Vince3889Our email alerts are not working either. Cisco really has stepped in it this time.
02-27-2024 08:56 AM
Vince - I think you'll note that it's not that the email alerts aren't working - it's that the events that trigger the email alerts aren't being logged/generated and as a result of that the email alerts don't trigger.
If you were getting the events logged as they ought to be you'd get the emails. They're not logging the events appropriately, so you're not getting the emails.
This is a Sev1 outage on the Cisco end despite no notification saying so or acknowledgement on their Status page.
02-27-2024 09:32 AM
Not sure they turned it off, seems the flood of events may of DDOS'd their servers
We are not getting any email notifications at the moment.
02-27-2024 07:49 AM
Refreshed my inbox and found this alert. It wasn't there an hour ago but says it's been there for 8 hours.
02-27-2024 07:55 AM
Thanks @emapsit & @Ken Stieers . Seeing these 2 messages now:
I guess this is like 'retrospective detections' but applied to system messages? I wanna rant so bad right now, this is testing the limits of self-control.
02-27-2024 08:06 AM
02-27-2024 08:11 AM
You're correct Ken. We have a backup of jobs getting processed due to the FPs and have been allocating resources to get them processed as quickly as possible. We're anticipating being caught up within the next couple of hours.
-Matt
02-27-2024 05:41 PM
Looks like all the queue finally got processed as I see some BP updates in my own portal and the newest BP signature is 13411 as of right now 8:40pm EST
02-28-2024 09:53 AM
These false positive episodes happen with increasing frequency over the past year, and are incredibly nerve-wracking. The one-two punch of the System Restore disabled and APT service created is the last straw for our org. Cisco does not seem to have a good product strategy in place, so we're moving to C-strike.
I know we're a small fish in a large pond, but enough is enough. We're going to end up missing a REAL alert one day because we just can't trust Cisco products anymore.
02-28-2024 12:43 PM
I agree. This could not have occurred at a more terrible time, especially since last week United Health was breached by an APT. My org wanted to tighten its belt in regards to security, which meant turning on Automatic isolation for Cisco Secure Endpoint and then I wake up to dozens of machines being falsely isolated and **bleep** near had a heart attack when I see APT threats on my endpoints. Imagine if a critical server or domain controller had been falsely isolated? This is a no-go for the healthcare sector.
Cisco's EDR products continue to disappoint. I'll be encouraging leadership to look elsewhere.
03-01-2024 09:12 AM
Final note:
Fort all 3 incidents bellow.
- TinyTurlaV2
- System Restore Disabled via Registry
- Delayed Jobs
Cisco Official RCA was released and those can be requested through your existing TAC Case.
03-05-2024 08:47 AM
03-05-2024 10:53 PM
Hi!
Is this public? I got Access Denied when click on the link.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide