Managed Sentinel – Alert 502
Alert ID | MS-A502 |
Alert Name | APT Bear Activity GTR19 Lookup |
Description | This alert triggers when an indicator of compromise related to Bear Activity GTR19 Advanced Persistence Threat (APT) APT is identified in the SecurityEvents log. https://www.crowdstrike.com/blog/who-is-fancy-bear/ |
Severity Level | High |
Threat Indicator | Compromised Host |
MITRE ATT&CK Tactics | Execution Priviledge Escalation Command and Control |
Log sources | Windows |
False Positive | Unknown |
Recommendations | 1. Initiate Security Incident Response Plan process 2. Isolate affected internal machine from corporate network 3. Perform a full scan of the infected host using endpoint security tool. 4. Investigate in Sentinel if any lateral movements were done from the infected machine. 5. Exercise caution and educate users on the safe handling of emails. 6. Install latest updates for your antimalware software and ensure it runs properly. 7. Install latest updates to the Windows OS software on the infected machine 8. Ensure that your organization has the proper settings configured on the Email filtering tool |