Alert Pack: Reconnaissance (MITRE Att&ck Tactic: TA0043)
- Juan Tomás Alonso Nieto (Deactivated)
Purpose
This alert pack brings our SecOps-related content to our non-SecOps customers and helps jump-start threat coverage. This pack contains a plethora of detections that alert when an attacker is using common reconnaissance tactics. These tactics are ones that are often some of the first used to help the attacker get a layout of the environment they intend to attack.
Â
What is Reconnaissance?
Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.
Prerequisites
To use this alert pack, you must have the following data sources available on your domain:
cloud.gcp.compute.firewalllearn morevpc.aws.flowlearn morefirewall.all.trafficlearn more
Open alert pack
Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).
Use alert pack
The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.