QRadar EDR (formerly ReaQta): No alerts produced when the DLL hijacking policy is triggered

Question & Answer

Question

Why is it that no alerts are generated or raised as notifications when the DLL hijacking policy behaviour seems to be triggered?
What can I do to generate an alert for it?

Cause

There is no alert generated because since 3.7 version of Hive the DLL hijacking is now categorised as event.

Answer

The lack of alert generation when a DLL hijacking policy is violated can be attributed to the fact that the trigger for this particular policy is demoted to the event level. As a result, DLL hijacking protection is still included among the existing policies, which will be changed in one of the upcoming updates.

In scenarios where it is needed for the DLL hijacking event to trigger an alert, a specific detection strategy needs to be formulated. By crafting a targeted DeStra that creates an alert when DLL hijacking event is logged.

Additionally, the Threat Hunting team can use the "Create Alert" feature to convert subsequent similar DLL hijacking events into alerts. By using this feature, they can establish proactive alerts that trigger every time the similar behaviour takes place.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSFAA2","label":"Administrative Tasks-\u003EDashboards"}],"ARM Case Number":"TS012864983","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Was this topic helpful?

Document Information

Modified date:
12 May 2023

UID

ibm16991207

Tips