Hello,
We have come to realize that a great addition to the custom intrusion prevention signatures would be to have the ability to filter by the process/executable that is running such alert.
For example, an unknown process or executable that hasn't been detected by SEP is sending malicious contents through port 80/443. The way of us, using the endpoint, detect that would be creating a rule on custom intrusion prevention that logs all connections to those ports but is not created from iexplorer.exe or firefox.exe or chrome.exe
Kind regards,