Alerting on malware activity

Get alerted to any host demonstrating malware activity and send notification to security team

Workflow

Becoming aware of suspicious activity

Plixer Scrutinizer and the Plixer ML Engine can be used together to help assess possible malware activity on your network.

The ML algorithms used for malware classification trigger alerts within Scrutinizer’s Alarm Policies for traffic/activity that deviates from dynamic ML-modeled baselines.

Note

This workflow relies on the Plixer ML Engine to report classification-based detections. Additional host analysis and risk assessment functions are enabled through Plixer Endpoint Analytics.

Tip

Plixer Scrutinizer and Plixer FlowPro also use STIX/TAXII and other threat intelligence feeds to identify activity associated with common classes of malware and ransomware.

Responding to potential malware

Review the Admin -> Alarm Monitor -> Alarm Policies page and search for the ML Engine malware alert policy. Using a custom Notification Profile, this policy can be configured to trigger an email to one or more addresses. This can be used to alert security team members whenever there are malware detections that should be reviewed.

Hint

Other automated notification actions can also be defined under the same Notification Profile.

From the alarm monitor view with the UI, you could dive into the Alarm Policy and investigate the host with details on top applications and conversations. Plixer Scrutinizer reporting can generate host-to-host reports to show the full extent of the host’s communications with other IPs on the network. Any outbound traffic with remote hosts should be investigated by navigating to the Reports tab/section of the web interface and running destination reports.

Additionally, Plixer Endpoint Analytics may be able to provide MAC details for the host and report its own risk assessment based on internal algorithms, MS Defender, and Tenable.