I recently a received an alert for a system in my network, threat name, ExP:Illegal API Use. The file it triggered for was Powershell.exe and it was reported as a IDS_ACTION_WOULD_BLOCK. I understand the blocking has to do with my current policy but there was no event ID to tie this to.
The system has been offline since then and has not been started. Could you please provide some more insights on this?
Usually for IPS events, event ID is the same, but "Analyzer Rule ID" should tell you which signature is violated. In mentioned example violation of 6082 signature is detected because Powershell has been called to execute "-ExecutionPolicy Unrestricted" command.
IDS_ACTION_WOULD_BLOCK means that probably you have signature enabled to report only, not to block, but like I said, we will need more info.
I hope this helps.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.