...
Questions |
Are any endpoints performing recon activities?Discover → Notifications Tab → Query “Port_Scan” Discover → Notifications Tab → Query “Address_Scan” |
Are administrative tasks occurring from the non-admin subnets?
Discover → RPC Tab and SMB Mapping Tab → Query <orig_h:"192.168.0.0/16"> |
Are users connecting to suspicious shares?Discover → SMB Mapping Tab → Query “*ADMIN*” |
Which hosts (whether inside or outside) communicate with servers most often? What communication is happening at unusual times?Discover → Connection Analytics → Interesting Insights “Top Uploaders/Downloaders” |
Are there files being transferred over SMB where the file type does not match the file name?Discover → Malware Analytics → Query “filetype: exe and !filename: *exe*” |
Which hosts are attempting to discover SMB shares?Discover→ Notifications → Query <Discovery> |
Which hosts are attempting to make multiple attempts at lateral movement?Discover→ Notifications → Query <Attempts> |
Was any host targeted with lateral movement and execution?Discover→ Notifications → Query <Execution> |
...