Document toolboxDocument toolbox

Alert Pack: Reconnaissance (MITRE Att&ck Tactic: TA0043)

Purpose

This alert pack brings our SecOps-related content to our non-SecOps customers and helps jump-start threat coverage. This pack contains a plethora of detections that alert when an attacker is using common reconnaissance tactics. These tactics are ones that are often some of the first used to help the attacker get a layout of the environment they intend to attack.

Security Operations application

SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.

SecOpsFWIpScanExternal

SecOpsFWPortScanExternalSource

SecOpsVpcNetworkScan

SecOpsFWExcessFirewallDenies

SecOpsGCPPortScan

 

 

What is Reconnaissance?

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.