internal_snmp_sweep

Suggest Edits

Explanation

The internal_snmp_sweep is a detection model that identifies an SNMP sweep occurring in the network. The model triggers anytime a large number of SNMP requests are sent to different devices on the network.

What to Look For

When examining the results of the internal_snmp_sweep NDM, it is crucial to identify machines that may be authorized to do SNMP Sweeps on the network, such as network monitoring devices, and these devices should be added to the "Discard" in this NDM. Additionally, endpoint logs should be monitored to determine the source of the sweep. SNMP sweeps can be indicative of an attacker mapping out network topologies during the reconnaissance phase of an attack. It is important to identify these sweeps to prevent potential attacks later on.

Related MITRE ATT&CK Categories

Network Service Discovery, Technique T1046 - Enterprise

Updated 13 days ago