Explanation

The tcpnull event is designed to detect NULL TCP flows. NULL TCP flows are packets that have no flags set, and are often used by attackers to scan networks for potential vulnerabilities. This event uses the Netography Detection Method (NDM) to detect NULL TCP flows, which is based on statistical analysis of network traffic.

What to Look For

If this event is triggered, it means that there are NULL TCP flows on your network. You should examine the results of the event to determine if these flows are legitimate or potentially malicious. Look for patterns of traffic that may indicate a scanning or reconnaissance activity. Check endpoints for any suspicious processes or connections related to the traffic. If there is evidence of malicious activity, take steps to remediate the issue and implement additional security measures to prevent future attacks.

Related MITRE ATT&CK Categories

Network Service Discovery, Technique T1046 - Enterprise

Active Scanning, Technique T1595 - Enterprise