Bitdefender excessive access to blocked port or application detected

This rule is part of a beta feature. To learn more, contact Support.
bitdefender

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1016-system-network-configuration-discovery

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

This rule detects when more than 10 blocked ports or applications have been accessed.

Strategy

This rule monitors firewall logs to identify excessive access to blocked ports or applications.

Triage and Response

  1. Analyze the firewall logs for Computer IP: {{@params.events.computer_ip}} associated with the spike in accessing blocked ports or applications.
  2. Temporarily isolate the device from the network to prevent further access attempts while investigations are ongoing.
  3. Conduct a security assessment of the endpoint to identify potential network misconfigurations or software errors that could expose vulnerabilities.
  4. Check for signs of malware or compromised applications that may be attempting unauthorized access.
  5. Implement necessary patches or configuration changes to address identified vulnerabilities.