Is it not possible to create a Notification Rule to email on a SEPM network attack detection of Critical or Higher? For example, I we received a detection on an endpoint that I was only able to see in the Log monitoring within SEPM, and did not receive an email notification for. How would I go about creating an email notification for such detections in the future? They’re too severe to just not get notified about.
Client Affected
Computer Name |
|
Current: |
My-Computer1 |
When event occurred: |
My-Computer1 |
IP Address |
|
Current: |
fe80::11a2:11a3:3d87:ab97 |
When event occurred: |
192.168.0.105 |
Local MAC: |
N/A |
User Name: |
none |
Operating system: |
Windows 10 Professional Edition |
Location Name: |
Default |
Domain Name: |
Default |
Group Name: |
My CompanyTest |
Server Name: |
SYM-Server |
Site Name: |
Site SYM-Server |
Risk Detected
Event Time: |
11/14/2019 08:54:44 |
Begin Time: |
11/14/2019 08:54:59 |
End Time: |
11/14/2019 08:54:59 |
Number: |
1 |
Signature Name: |
Attack: NTLM Hash Theft Attempt |
Signature ID: |
31835 |
Signature Sub ID: |
80115 |
Intrusion URL: |
N/A |
Intrusion Payload URL: |
N/A |
Event Description: |
[SID: 31835] Attack: NTLM Hash Theft Attempt attack blocked. Traffic has been blocked for this application: SYSTEM |
Event Type: |
Intrusion Prevention |
Hack Type: |
0 |
Severity: |
Critical |
Application Name: |
SYSTEM |
Network Protocol: |
TCP |
Traffic Direction: |
Outbound |
Remote IP: |
192.168.0.133 |
Remote MAC: |
N/A |
Remote Host Name: |
N/A |
Alert: |
1 |
Local Port: |
51939 |
Remote Port: |
139 |