Mar 24 2023 08:41 AM
I am currently investigating the following timeline. All of the involved binaries are part of Windows. How can I make sure, whether this is a false positive, or whether I need to dig deeper?
Mar 24 2023 08:58 AM
Mar 24 2023 09:04 AM - edited Mar 24 2023 09:12 AM
Thank you, yes both are enabled. ASR rules in Block mode and automated incident response.
> they don't appear to be the point of origin.
How to investigate the point of origin here?
Mar 24 2023 03:21 PM - edited Mar 24 2023 03:22 PM
The timeline ideally should give you details. Otherwise, advanced hunting queries will be the next best option for investigation.