Analytics Story: Network Discovery

Date: 2022-02-14 ID: af228995-f182-49d7-90b3-2a732944f00f Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.

Why it matters

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Network Share Interaction With Net Network Share Discovery, Data from Network Shared Drive TTP
Linux System Network Discovery System Network Configuration Discovery Anomaly
Windows Detect Network Scanner Behavior Active Scanning, Scanning IP Blocks, Vulnerability Scanning Anomaly
Windows Network Share Interaction Via Net Network Share Discovery, Data from Network Shared Drive Anomaly
Internal Horizontal Port Scan Network Service Discovery TTP
Internal Horizontal Port Scan NMAP Top 20 Network Service Discovery TTP
Internal Vertical Port Scan Network Service Discovery TTP
Internal Vulnerability Scan Vulnerability Scanning, Network Service Discovery TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudWatchLogs VPCflow AWS icon AWS aws:cloudwatchlogs:vpcflow aws_cloudwatchlogs_vpcflow
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1