Alerting on Attacker Behavior - Vulnerability Scanning


Performing scans on the network and looking for specific Microsoft vulnerabilities (EG MS08-067). I was surprised that after my scans, I did not have any alerts in IDR. Is there something I am missing within IDR or is this not available?


Hi @heath_higgins a typical way to catch this kind of behavior would be using a Honeypot. Honeypot | InsightIDR Documentation

Otherwise the only other thing that might trip is a Lateral movement alert, if the source machine doing the authentication to the target assets never logged in to those targets previously (since IDR has been in play).

Screen Shot 2021-11-04 at 10.55.34 AM

I’d recommend verifying these Lateral movement alerts are set to alert, and that there are no existing Open Investigations, if there are Open Investigations (even very old ones) we will append this behavior to the open investigation (Daisy chaining events based on actors and/or assets) instead of firing a new alert.