Reconnaissance Content Pack

Overview

Before a targeted attack begins, there is typically a phase where an attacker gathers information about possible vulnerabilities on the network and specific systems. This can range from passive scans to active reconnaissance. To prevent targeted attacks before they occur, you need to identify and monitor potential passive or active reconnaissance threat attempts, helping to prevent targeted attacks before they occur. The Reconnaissance Content Pack provides an easy-to-read breakdown of known reconnaissance events on your network, a logical workflow for reviewing reconnaissance signatures and interactions, and rapid insight into network scans that have not been performed by in-house IT.

Content Pack Components

Alarms
  • Recon – Network Sweep Activity
Reports
  • Recon – Recon Analysis Report
  • Recon – Network Scan Analysis Report
  • Recon – Protocols Analysis Report
Views
  • Recon – Destination to Source Recon Events
  • Recon – Destination to Source Network Scan Analysis
  • Recon – Destination to Source Protocol Analysis
  • Recon – Source to Destination Recon Events
  • Recon – Source to Destination Network Scan Analysis
  • Recon – Source to Destination Protocol Analysis
Watchlists

The IP addresses of all corporate network devices that perform vulnerability scans on the internal network.

  • Recon – Network Scan Devices
Correlation Rules
  • Recon – Application Query Events from a Local Host
  • Recon – Application Query Events from a Remote Host
  • Recon – DNS Recon Events from a Local Host
  • Recon – DNS Recon Events from a Remote Host
  • Recon – Database Recon Events from a Local Host
  • Recon – Database Recon Events from a Remote Host
  • Recon – Detected Anomaly of TCP or UDP Packet Activity from Internal Host
  • Recon – FTP Recon Events from a Local Host
  • Recon – FTP Recon Events from a Remote Host
  • Recon – Horizontal FTP Scan: Events or Flows
  • Recon – Horizontal HTTP Scan: Events or Flows
  • Recon – Horizontal HTTPS Scan: Events or Flows
  • Recon – Horizontal NETBIOS Scan: Port 137 and 138
  • Recon – Horizontal NetBIOS Scan: Port 139: Events and Flows
  • Recon – Horizontal RDP Scan: Events or Flows
  • Recon – Horizontal RPC Scan: Events or Flows
  • Recon – Horizontal SMB Scan: Events or Flows
  • Recon – Horizontal SMTP Scan: Events or Flows
  • Recon – Horizontal SNMP Scan: Events or Flows
  • Recon – Horizontal SSH Scan: Events or Flows
  • Recon – Horizontal Telnet Scan: Events or Flows
  • Recon – Host Port Scan Events from a Local Host
  • Recon – Host Port Scan Events from a Remote Host
  • Recon – Host Query Events from a Local Host
  • Recon – Host Query Events from a Remote Host
  • Recon – ICMP Recon Events from a Local Host
  • Recon – ICMP Recon Events from a Remote Host
  • Recon – IP Recon Events from a Local Host
  • Recon – IP Recon Events from a Remote Host
  • Recon – Mail Recon Events from a Local Host
  • Recon – Mail Recon Events from a Remote Host
  • Recon – Misc Form of Reconnaissance Events from a Local Host
  • Recon – Misc Form of Reconnaissance Events from a Remote Host
  • Recon – Multiple TCP Recon Events from a Local Host
  • Recon – Network Sweep Activity Detected from a Local Host to Multiple Hosts
  • Recon – Network Sweep Activity Detected from a Local Host to Multiple Ports
  • Recon – Network Sweep Activity Detected from a Remote Host to Multiple Local Hosts
  • Recon – Network Sweep Activity Detected from a Remote Host to Multiple Local Ports
  • Recon – Network Sweep Events from a Local Host
  • Recon – Network Sweep Events from a Remote Host
  • Recon – Other Protocol Recon Events from a Local Host
  • Recon – Other Protocol Recon Events from a Remote Host
  • Recon – RPC Request Events from a Local Host
  • Recon – RPC Request Events from a Remote Host
  • Recon – Recon Events from a Local Host to Multiple External Hosts
  • Recon – Recon Events from a Remote Host
  • Recon – SNMP Recon Events from a Local Host
  • Recon – SNMP Recon Events from a Remote Host
  • Recon – SSH Recon Events from a Local Host
  • Recon – SSH Recon Events from a Remote Host
  • Recon – TCP Recon Events from a Remote Host
  • Recon – Telnet Recon Events from a Local Host
  • Recon – Telnet Recon Events from a Remote Host
  • Recon – UDP Recon Events from a Local Host
  • Recon – UDP Recon Events from a Remote Host
  • Recon – Web Recon Events from a Local Host
  • Recon – Web Recon Events from a Remote Host
  • Recon - Stealth Scan Activity Detected

Required Products

  • McAfee Enterprise Security Manager (ESM) 10.0.x, 9.6.x, 9.5.x
  • McAfee Advanced Correlation Engine (ACE) 10.0.x, 9.6.x, 9.5.x

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?

Register for Free Trial