This alert triggers whenever an internal scanning is observed from a local source IP and the scanning attempts are rejected by the targeted hosts. The idea here is to track the network-wide internal scanning attempts that are being rejected by the targeted hosts. This behavior could be benign, but can also indicate internal scanning activities by an attacker. Note: Please whitelist the source IPs/destination IPs for fine-tuning the alert. Also, adjust the threshold value as per your business requirements. Impact Multiple reject connections could indicate a possible malicious activity. Mitigation Check if the rejected traffic is legit and is known to the users. If not, check for any malicious traffic and make sure that security groups and NACLs are configured correctly. MITRE TACTIC: TA0043 MITRE TECHNIQUE: T1595

This alert triggers whenever potential port scanning from the external IP is detected. Port scanning can provide malicious actors with different information like running OS, application versions, and more. Note: Please whitelist source IPs/Destination IPs as per your business requirement to reduce the noise. Impact Threat actors scan the network of an organization to find open ports and their versions. This gives them an idea if there are any vulnerabilities that they can target. Mitigation Check whether traffic is legit and known to the user. If not, investigate further for any compromise. MITRE TACTIC: TA0043 MITRE TECHNIQUE: T1595

This alert triggers whenever potential port scanning from the internal IP range is detected. Port scanning can provide malicious actors with different information like running OS, application versions, and more. Note: Please whitelist source IPs/Destination IPs as per your business requirement to reduce the noise. Impact Threat actors scan the internal network of an organization for additional recon or discovery of other assets. Mitigation Check whether traffic is legit and known to the user. If not, investigate further for any compromise. MITRE TACTIC: TA0043 MITRE TECHNIQUE: T1595

This alert triggers whenever an incoming connection over ports 22 or 3389 is failed multiple times from a source IP followed by a successful connection from the same source IP address. Port 22 is one of several tunneling protocols used to build secure network connections. Port 3389 enables users to connect to their desktop computers from another device remotely. Note: Please whitelist any destination host/source IP address or the source country as per your business requirements to reduce the noise. Impact If these ports are open to the internet for anyone to access, threat actors can exploit any vulnerabilities associated with them to gain remote access to a host present inside a network, and they can further increase their attack surface. Mitigation Close these ports to the internet (external network) if there is no business purpose. In case that is not possible, block the incoming IPs on the firewall. For the accepted connections, investigate for any malicious activities on the relevant machines. MITRE Tactic: TA0008 MITRE Technique: T1021

This alert triggers DNS-related traffic originating from a local IP on a destination port 53 over any protocol other than the standard UDP protocol. Note: Please whitelist any TCP traffic that is expected. Impact DNS traffic over any protocol other than UDP can indicate malicious activity such as DNS tunneling. Mitigation Check for the reputation of the destination address to identify if it is associated with any known malicious activity. If needed, run a full scan on the machine with the available EDR/AV solutions to make sure there is no malicious software running on it. If needed, further investigate according to company policies. MITRE Tactic: TA0011 MITRE Technique: T1071

This alert triggers whenever an internal IP address initiates and establishes a communication with another internal IP with the condition that this communication was not seen before in the last 1 month. Note: You can whitelist the source IPs/destination IPs or adjust the threshold value to reduce the noise as per your business requirements. Impact A communication of this nature can indicate that a new asset was added to the network or the communication between the 2 internal hosts is not usual and could be a suspicious activity. Mitigation Check if the host is known and if yes, the communication is legitimate and known to the user. If not, investigate further for malicious activities. MITRE Tactic: TA0010 MITRE Technique: T1041

This alert triggers whenever an IP address sends a high number of ICMP ping requests within a short interval of time to hosts within a VPC. Impact Allowing unrestricted inbound/ingress ICMP access to your VPC can increase opportunities for malicious activities such as Denial-of-Service (DoS) attacks, Smurf and Fraggle attacks. Mitigation Validate if the incoming requests are legitimate. If there is no business requirement, restrict the ICMP inbound from the internet in the security group rules. If needed, block the source IP in your AWS environment. MITRE Tactic: TA0043 MITRE Technique: T1595

This alert triggers whenever a local IP address communicates with an external IP address labeled malicious by threat intel platforms. Note: If communication with the malicious IP is part of the business requirement, please whitelist the IP address and if you think the IP is falsely tagged as malicious, please let the respective threat intel platform know about it to whitelist the IP address. Impact Outgoing communication to a malicious IP address could indicate malicious activity in your environment. I could also indicate a C2 communication. Mitigation Please check if this traffic is legit. If not, block the IP address and check further for any malicious activities in your environment. MITRE TACTIC: TA0011 MITRE TECHNIQUE: T1071

This alert triggers whenever a traffic originates from a local IP address to an unusual country which was not seen before in the last 1 month. Impact Traffic outgoing to an unusual country could indicate that a user account is compromised. Mitigation Check whether traffic is legit and known to the user. If not, investigate further for any compromise. MITRE TACTIC: TA0011 MITRE TECHNIQUE: T1071

This alert triggers whenever a high amount of data is sent to an external IP address. Note: For this alert, the value set is more than 20000000 bytes (~20 MB). Please fine-tune this valuer as per your business requirements. Impact Anomalous data transfer from a local IP address to an external IP address could indicate possible data exfiltration activity. Mitigation Check whether traffic is legit and known to the user. If not, investigate further for any compromise. MITRE TACTIC: TA0043 MITRE TECHNIQUE: T1595

This alert triggers whenever multiple REJECT requests from a single remote/external source IP address to multiple local destination IPs are observed. This behavior could be benign, but can also indicate scanning activities by an attacker and/or an attempt to breach the organization's perimeter. Note: Please whitelist the source IPs/destination IPs for fine-tuning the alert. Also, adjust the threshold value as per your business requirements. Impact Multiple reject connections could indicate a possible reconnaissance activity. Mitigation Check if the rejected traffic is legit and is known to the users. If not, check for any malicious traffic and make sure that security groups and NACLs are configured correctly. MITRE TACTIC: TA0043 MITRE TECHNIQUE: T1595

This alert triggers whenever multiple REJECT requests from a single local source IP address to multiple local destination IPs are observed. This behavior could be benign, but can also indicate scanning activities by an attacker. Note: Please whitelist the source IPs/destination IPs for fine-tuning the alert. Also, adjust the threshold value as per your business requirements. Impact Multiple reject connections could indicate a possible reconnaissance activity. Mitigation Check if the rejected traffic is legit and is known to the users. If not, check for any malicious traffic and make sure that security groups and NACLs are configured correctly. MITRE TACTIC: TA0043 MITRE TECHNIQUE: T1595