Hi Team,
We are using 14.0.3929 verion in our environment along with ATP version 3.1.0-678 . From the last couple of days we are getting this alert in ATP:
| 2018-07-18 14:21:59 UTC | 4124: Endpoint (IP/URL/Domain) Detection
| |
|
| app_name | | C:/PROGRAM FILES/INTERNET EXPLORER/IEXPLORE.EXE | | categories | | Attack | | data_source_url_domain | | | | deepsight_domain | | notavailable | | description | | | | device_ip | | 172.*>*>* | | device_name | | hostname | | device_time | | 2018-07-18 14:21:59 UTC | | device_uid | | 39c4147 | | domain_name | | abc | | event_desc | | [SID: 30529] Web Attack: Fake TechSupport Domains 2 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE | | event_id | | 206: Intrusion detected | | external_ip | | 172*>*>* | | host_name | | hostname | | infected | | false | | intrusion_url | | www.bing.comwww.bing.com:443 | | local_host_mac | | 000000000000 | | log_time | | 2018-07-18 14:25:06 UTC | | network_protocol | | 2: TCP | | remote_host_mac | | 000000000000 | | severity | | 3: Critical | | sid | | 30529 | | signature_id | | 30529 | | signature_name | | Web Attack: Fake TechSupport Domains 2 | | symc_device_action | | 1: Blocked | | time | | 2018-07-18 14:21:59 UTC | | timezone | | UTC | | traffic_direction | | 1: Inbound | | type_id | | 4124: Endpoint (IP/URL/Domain) Detection | | user_name | | 60891 |
|
Could you please explain what this attack actually means? Bing.com is blocked already in this environment .
Regards,
Jagadeesh