Bitdefender excessive access to blocked port or application detected

This rule is part of a beta feature. To learn more, contact Support.
bitdefender

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1016-system-network-configuration-discovery

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

This rule detects when more than 10 blocked ports or applications have been accessed.

Strategy

This rule monitors firewall logs to identify excessive access to blocked ports or applications.

Triage and Response

  1. Analyze the firewall logs for Computer IP: {{@params.events.computer_ip}} associated with the spike in accessing blocked ports or applications.
  2. Temporarily isolate the device from the network to prevent further access attempts while investigations are ongoing.
  3. Conduct a security assessment of the endpoint to identify potential network misconfigurations or software errors that could expose vulnerabilities.
  4. Check for signs of malware or compromised applications that may be attempting unauthorized access.
  5. Implement necessary patches or configuration changes to address identified vulnerabilities.