Hi Team,

I am using CP Harmony EDR & want to block some processes which has been reported by SOC to be malicious

Below detection method has been told by SOC team to implement in the EDR:

1.PowerShell script execution event ID: 4104 should be monitored for detecting any PowerShell script executions.
2.Network requests originating from unknown processes must be flagged and investigated by EDR/XDR.
3.Event ID: 4698 can be monitored in XDR to detect suspicious tasks being created.
4.Event ID: 9707 in Shell-Core/Operational logs can be monitored in XDR to detect newly executed processes using Run/RunOnce registry keys.
5.Monitor the user Startup directories for addition of new files with ‘.bat’ extension using XDR.
6.Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
7.Event ID 104 for System Logs, Event ID 1102 for Security logs, can be monitored in EDR to detect activity related to Windows event logs being cleared.
8.Monitor for deletion/modifications of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\WOW6432Node\AdvetNet\DesktopCentral\DCAgent & HKLM:\SOFTWARE\WOW6432Node\AdvetNet\ManageEngine\UESAgent.

Please help me to implement this in EDR. Thanks...