Reasons
- High severity activity observed on a single node; enforcement applied based on severity.
- Multiple stages of an attack chain were observed within a short time window.
- Observed behavior consistent with post-compromise activity, such as backdoors, webshells, or lateral movement.
- High-confidence indicators of post-exploitation activity were detected.
No MITRE ATT&CK mappings available for this decision.
Evidence
- Nodes observed: 1
- Severity: CRITICAL
- TTL remaining: 22h 50m