DET0817 Detection of Scanning IP Blocks

Technique Detected: T1595.001 (Scanning IP Blocks)

Analytics

PRE

AN1949

Monitoring the content of network traffic can help detect patterns associated with active scanning activities. This can include identifying repeated connection attempts, unusual scanning behaviors, or probing activity targeting multiple IP addresses across a network. Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Log Sources

Mutable Elements