If this is in the wrong group Please forgive me, but I really don't know exactly WHERE the problem is.
So here is the setup.
I am running my clients ePO, ENS, TIE and ATD through North America, Africa, Europe and Asia.
Another firm is running SIEM, and by the looks of the e-mail, they are running QRadar as a Malware detection software, the Mail references a rule triggered SR17, and claims that my hosts are sending malware.
I have cleared the .TMP files, updated clients and agents, run full scans, gone through the threat event logs, but I have not found a single entry on the local Agent, or even on ePO stating that there might be a problem.
CloudSIEM Security would like to bring to your attention an offense relating to the local host sending malware, this suggests the local host is likely infected with malware and could potentially be attempting to infect other hosts on the network.
The following rule has triggered:
SR17 - Local Host Sending Malware
The rule indicates that:
A local host machine has been sending malware. This suggests that the host machine could be infected with malware and is attempting to spread to other hosts on the network. This could also indicate a potential insider threat. You may want to review the user as well as the device. Please see further triage included in the email attachment.
Our Analyst Found:
None of the IP addresses in this alert are known to be malicious, however you may want to investigate the alert further. X-Force Exchange will provide more information regarding the IP addresses involved, the link for this is in the attached triage results. The information on X-Force is updated regularly so may not match the triage exactly. If your investigation concludes that any of the IP addresses in the alert are known and valid, please let us know.
We have observed that the host (IP) tried to access some phishing URLs. These events were tracked down by "Zscaler Web Proxy @ (IP)
Kindly investigate these events and check for any suspicious activity within the network.
Has anyone else had a similar issue? Any assistance would be greatly appreciated.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.