AnsweredAssumed Answered

Possible Webshell Investigation

Question asked by SSRCFleck on Sep 3, 2014

We are running RSA SA, ESA and Archer.  In Archer I have an alert for:  possible_webshell grouped by source IP:, the destination and the rule:possible_webshell.  I go to SA and do an investigation.  Now what?  How do I confirm whether this is real or nothing to worry about?  I need to know this stuff but do not know where to turn to interpret the alerts, not jus for this one but for others too.


HELP - John