SEPM Network Attack Notification

I need a solution

Is it not possible to create a Notification Rule to email on a SEPM network attack detection of Critical or Higher? For example, I we received a detection on an endpoint that I was only able to see in the Log monitoring within SEPM, and did not receive an email notification for. How would I go about creating an email notification for such detections in the future? They’re too severe to just not get notified about. 

Client Affected

Computer Name

 

Current:

My-Computer1

When event occurred:

My-Computer1

IP Address

 

Current:

fe80::11a2:11a3:3d87:ab97

When event occurred:

192.168.0.105

Local MAC:

N/A

User Name:

none

Operating system:

Windows 10 Professional Edition

Location Name:

Default

Domain Name:

Default

Group Name:

My CompanyTest

Server Name:

SYM-Server

Site Name:

Site SYM-Server

Risk Detected

Event Time:

11/14/2019 08:54:44

Begin Time:

11/14/2019 08:54:59

End Time:

11/14/2019 08:54:59

Number:

1

Signature Name:

Attack: NTLM Hash Theft Attempt

Signature ID:

31835

Signature Sub ID:

80115

Intrusion URL:

N/A

Intrusion Payload URL:

N/A

Event Description:

[SID: 31835] Attack: NTLM Hash Theft Attempt attack blocked. Traffic has been blocked for this application: SYSTEM

Event Type:

Intrusion Prevention

Hack Type:

0

Severity:

Critical

Application Name:

SYSTEM

Network Protocol:

TCP

Traffic Direction:

Outbound

Remote IP:

192.168.0.133

Remote MAC:

N/A

Remote Host Name:

N/A

Alert:

1

Local Port:

51939

Remote Port:

139

0

1573804703

Related:

  • No Related Posts

Leave a Reply