topic Want to block some processes based on event ID in Endpoint https://community.checkpoint.com/t5/Endpoint/Want-to-block-some-processes-based-on-event-ID/m-p/224939#M9219 <P>Hi Team,</P><P>I am using CP Harmony EDR &amp; want to block some processes which has been reported by SOC to be malicious</P><P>Below detection method has been told by SOC team to implement in the EDR:</P><P>1.PowerShell script execution event ID: 4104 should be monitored for detecting any PowerShell script executions.<BR />2.Network requests originating from unknown processes must be flagged and investigated by EDR/XDR.<BR />3.Event ID: 4698 can be monitored in XDR to detect suspicious tasks being created.<BR />4.Event ID: 9707 in Shell-Core/Operational logs can be monitored in XDR to detect newly executed processes using Run/RunOnce registry keys.<BR />5.Monitor the user Startup directories for addition of new files with ‘.bat’ extension using XDR.<BR />6.Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.<BR />7.Event ID 104 for System Logs, Event ID 1102 for Security logs, can be monitored in EDR to detect activity related to Windows event logs being cleared.<BR />8.Monitor for deletion/modifications of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\WOW6432Node\AdvetNet\DesktopCentral\DCAgent &amp; HKLM:\SOFTWARE\WOW6432Node\AdvetNet\ManageEngine\UESAgent.</P><P>Please help me to implement this in EDR. Thanks...</P> Thu, 29 Aug 2024 09:37:45 GMT shantilalSuthar 2024-08-29T09:37:45Z Want to block some processes based on event ID https://community.checkpoint.com/t5/Endpoint/Want-to-block-some-processes-based-on-event-ID/m-p/224939#M9219 <P>Hi Team,</P><P>I am using CP Harmony EDR &amp; want to block some processes which has been reported by SOC to be malicious</P><P>Below detection method has been told by SOC team to implement in the EDR:</P><P>1.PowerShell script execution event ID: 4104 should be monitored for detecting any PowerShell script executions.<BR />2.Network requests originating from unknown processes must be flagged and investigated by EDR/XDR.<BR />3.Event ID: 4698 can be monitored in XDR to detect suspicious tasks being created.<BR />4.Event ID: 9707 in Shell-Core/Operational logs can be monitored in XDR to detect newly executed processes using Run/RunOnce registry keys.<BR />5.Monitor the user Startup directories for addition of new files with ‘.bat’ extension using XDR.<BR />6.Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.<BR />7.Event ID 104 for System Logs, Event ID 1102 for Security logs, can be monitored in EDR to detect activity related to Windows event logs being cleared.<BR />8.Monitor for deletion/modifications of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\WOW6432Node\AdvetNet\DesktopCentral\DCAgent &amp; HKLM:\SOFTWARE\WOW6432Node\AdvetNet\ManageEngine\UESAgent.</P><P>Please help me to implement this in EDR. Thanks...</P> Thu, 29 Aug 2024 09:37:45 GMT https://community.checkpoint.com/t5/Endpoint/Want-to-block-some-processes-based-on-event-ID/m-p/224939#M9219 shantilalSuthar 2024-08-29T09:37:45Z