Analytics Story: Network Discovery

Date: 2022-02-14 ID: af228995-f182-49d7-90b3-2a732944f00f Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.

Why it matters

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux System Network Discovery System Network Configuration Discovery Anomaly
Windows Network Share Interaction With Net Network Share Discovery, Data from Network Shared Drive TTP
Internal Horizontal Port Scan Network Service Discovery TTP
Internal Horizontal Port Scan NMAP Top 20 Network Service Discovery TTP
Internal Vertical Port Scan Network Service Discovery TTP
Internal Vulnerability Scan Vulnerability Scanning, Network Service Discovery TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudWatchLogs VPCflow AWS icon AWS aws:cloudwatchlogs:vpcflow aws_cloudwatchlogs_vpcflow
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References

Source: GitHub | Version: 1