Question & Answer
Question
What can I do to generate an alert for it?
Cause
There is no alert generated because since 3.7 version of Hive the DLL hijacking is now categorised as event.
Answer
The lack of alert generation when a DLL hijacking policy is violated can be attributed to the fact that the trigger for this particular policy is demoted to the event level. As a result, DLL hijacking protection is still included among the existing policies, which will be changed in one of the upcoming updates.
In scenarios where it is needed for the DLL hijacking event to trigger an alert, a specific detection strategy needs to be formulated. By crafting a targeted DeStra that creates an alert when DLL hijacking event is logged.
Additionally, the Threat Hunting team can use the "Create Alert" feature to convert subsequent similar DLL hijacking events into alerts. By using this feature, they can establish proactive alerts that trigger every time the similar behaviour takes place.
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
12 May 2023
UID
ibm16991207