Delinea Privilege Manager detected a suspicious application justification event based on VirusTotal rating

This rule is part of a beta feature. To learn more, contact Support.
delinea-privilege-manager

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

Goal

Detects application justification events for suspicious rated applications by VirusTotal.

Strategy

This rule monitors Delinea Privilege Manager logs to detect application justification events for suspicious rated applications by VirusTotal.

Triage and Response

  1. Investigate the application justification event for file {{@FileName}} on system {{@ComputerName}}, including details like filepath: {{@FilePath}} and user: {{@usr.name}}.
  2. Determine if the endpoint is critical or frequently targeted.
  3. Review the justification: {{@UserReason}} to verify alignment with legitimate business needs.
  4. Validate the justification directly with the user to confirm intent.
  5. Block the application if unauthorized, and isolate the endpoint if suspicious activity is detected.
  6. For repeatedly flagged applications, enforce stricter controls or require administrator approval.
OSZAR »