external_udp_2222

Explanation

The external_udp_2222 NDM flags connections from outside the customer network to servers on the customer network listening on UDP port 2222. Rockwell Automation ICS systems use UDP port 2222. These kinds of systems should never be exposed to the open Internet.

What to Look For

Verify that the server (the source IP in this case) is expected to receive connections from this source (the destination IP in this case) on port 2222. While traffic to this port could be innocuous, very few networks intentionally expose this service to external hosts. This event could false positive in a situation where Netography has not been configured with the appropriate internal network IP address ranges.

Related MITRE ATT&CK Categories

Exploit Public-Facing Application, Techniques T1190