How do the Endpoint preventions work?

On this page under the policies:

If click the link to "related detection rules" it just shows all the elastic rules. How do I know which rules will prevent traffic because it is ransomeware?

Our behavioral ransomware protection feature is fully enabled in Prevent mode according to the policy configuration you provided. Processes on your endpoints which exhibit anomalous file modification behavior will be alerted on and terminated.

The "related detection rules" towards the bottom of the UI screenshot refers to a prebuilt rule we have in place for further promoting awareness for our users when ransomware alerts are generated. In addition to this rule, we have several other rules in place which offer more granular methods for alerting on activity that may be related to ransomware attacks such as volume shadow copy deletion and boot configuration modification.

Thanks for the clarification.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.