ping_scan_ext-int

Explanation

The ping_scan_ext-int event monitors for external to internal ping scans on the network. It detects when an external entity is trying to map out the internal infrastructure by pinging various IP addresses.

What to Look For

When examining the results of the ping_scan_ext-int event, look for any IP addresses that appear to be targets of the ping scan from the external IP. Additionally, look for any patterns or anomalies in the network traffic that could indicate an attempt to map out the network. It is important to tighten network security by restricting external access to the internal network and reviewing firewall rules to block such scans.

Related MITRE ATT&CK Categories

Network Service Discovery, Technique T1046 - Enterprise
Active Scanning, Technique T1595 - Enterprise