Quick Links

Investigating "Internal Reconnaissance - Connection" findings

Overview

This investigation guide covers these four "Internal Reconnaissance Connection" detection rules:

  • Internal Reconnaissance - All Connections - Low Threshold
  • Internal Reconnaissance - Connections - 15 over 5 Minutes
  • Internal Reconnaissance - Connections - 5 over 5 Minutes
  • Internal Reconnaissance - All Connections

Activity that these rules are based on can elicit several alerts in some environments, so they are disabled by default. If enabled, creating filters can help adjust the alerts, so they are more efficient. 

These detections are looking for internal-to-internal network connections, and they often show aggregated log details instead of individual logs to summarize the count of connections and list of destination IPs and ports.

Taking note of the source IP address (src_ip) is important, because the associated device can reveal whether this is expected or unexpected and suspicious activity. If a known scanner, agent, or deployment tool is hosted at this IP address, then the detection might be triggering on expected scanning activity.

Using Report Builder to investigate

Reference: See Using the Report Builder for more information about building reports.

Reviewing device logs

We recommend reviewing device logs by taking the src_ip value from the finding and applying it as the device address in Report Builder.

To build a report and review the events related to this finding, do the following:

  1. Navigate to Reporting > Report Builder.
  2. Edit the Time Range so it is 15 minutes prior to the time matched in the finding.
  3. In Data Sources, select Microsoft Windows and the relevant Blumira Agent endpoint log types, if available.
  4. Click Add Filter.
  5. Add the following report filters to narrow your results:
    • device_address - Equal - src_ip
    • (Optional) dst_ip - Negate Regex - ^$ to filter for non-null values and show connections to destination IP addresses.
  6. Under Selected Columns, add columns to your report, such as those below, to review additional information in the logs:
    • timestamp
    • command
    • description
    • device_address
    • devname
    • domain
    • event_type
    • Image_path
    • message
    • object_path
    • parent.cmdline
    • parent_process_id
    • parent_process_name
    • privileges
    • process_id
    • process_name
    • service_name
    • service_type
    • shipping_agent
    • subject_account_name
    • type
    • user
    • Windows_event_id
  1. Click Submit.

Reviewing command details on a device

You can also investigate by building a report to review command details on a device. You can select for distinct counts, combined with similar filters above. To try this investigation method, do the following:

  1. In Report Builder, edit the Time Range so it is 15 minutes prior to the time matched in the finding.
  2. Click Edit Report.
  3. Click Select All Data Sources.
  4. Remove all selected columns, and then re-select the following columns:
    • command
    • devname
    • device_address
  5. Click Add Filter.
  6. Add the following report filters to narrow your results:
    • device_address - Equal - src_ip
    • command - Negate Regex - ^$ (this is effectively used to remove all null command fields)
  7. Turn on Apply Distinct Counts to Report to group and aggregate a count of the commands.
    Tip: Add columns like process_name and parent_process_name to broaden your aggregated search and see additional details.
  8. Click Submit.

Adding detection filters

Filtering options are limited for this detection because it is picking up firewall logs of devices internal IP addresses, which do not contain process details in the matched evidence. However, you might find that a process like PDQ Deploy or SentinelRanger was running and could have triggered these detections. In that case, you can filter by the IP address of the device to prevent future findings. 

Consider filtering with the src_ip, dst_ip, and dst_port that appear in the finding. This might be the best option for an expected and repeated scanning tool across limited IPs and ports. Additional detection filter options include the following:

  • src_ip - Equal - src_ip
    AND
    dst_port - In - dst_port_1, dst_port_2
    AND
    dst_ip - In - dst_ip_1, dst_ip_2, dst_ip_3 
  • src_ipIn - src_ip_1, src_ip_2