Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eve_Z
Participant

How to detect Port Scanning with Harmony Endpoint or Infinity XDR/XPR?

Hello,

Have you ever tried to detect port scanning by using Harmony Endpoint? I thought this would be detected by Infinity XDR/XPR as an incident, but I see not incidents related.

I would like to detect port scanning from the machine with Harmony Endpoint that is performing the scan, for example, with a virtualized Kali Linux, AND/OR from the victim machine that also has Harmony Endpoint.

Any suggestion is appreciated.

Regards.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

At least for a gateway, this requires using a particular IPS signature and a trigger from SmartEvent to actually block based on the IP.
Not sure how this works on Endpoint, if it does at all.

0 Kudos
Eve_Z
Participant

I created a custom query for Threat Hunting to detect TCP connections with 0 bytes received, excluding common ports. This should detect when the source tries to open a connection to an uncommon port that is filtered (destination does not respond, so 0 bytes are received), which may indicate port scanning.

This query shows some results when scanning with Nmap from a machine with Harmony Endpoint, but when I scan from a virtualized Kali Linux from the same machine, I don't see the same results. I was expecting to see a VirtualBox process doing the same connections.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events