Environment
- EDR Server: All Versions
- Threat Intelligence
Question
Does the EDR server have a threat intelligence feed to monitor for CVE-2023-23397?
- Microsoft Outlook Elevation of Privilege Vulnerability
Answer
- The detecting the malicious message properties themselves is something better handled by an email security gateway as this is all happening on the network layer.
- You can create a watchlist specific to your environment that looks for netconns to standard SMB and LDAP ports for IP ranges outside of where your authentication infrastructure is located. This can help monitor an attempt occurring from the EDR side. Because of the need for something very specific to your environment, a threat intelligence feed cannot be created.
Additional Notes
- VMware Carbon Black support does not assist with writing queries. For any further inquiries on creating a watchlist to monitor this, please engage in the threat intelligence discussion on the community forums. Community Discussion on CVE-2023-23397 Detections
Related Content