User agent associated with penetration testing tool observed

Classification:

attack

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a penetration testing tool user agent is observed.

Strategy

This rule monitors cloud audit logs for requests with a user agent correlating to a penetration testing tool. While these tools may be used legitimately by an organization to assess their security posture, they can also be used by attackers as a means of discovery once they have gained unauthorized access to your cloud environment.

Triage and response

  1. Determine if your organization used any of the tools observed for its own security assessment.
  2. If the tool was used by your organization, consider adding a suppression for the penetration tool’s identity or IP address. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the tool was not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable or rotate the affected credential or identity.
    • Investigate any actions taken by the identity.
PREVIEWING: brett0000FF/node-compatibility