Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1046-network-service-discovery

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects and alerts on blocked activities in the internal network, such as unauthorized access or malicious traffic being prevented by security measures.

Strategy

Monitor network activity logs and notify when blocked activity detected in internal network.

Triage and Response

1. Check if the blocked action originates from legitimate internal users or unknown, potentially malicious sources.
2. Look into the specific protocols and states involved to assess if the blocking aligns with normal network security policies.
3. Cross-check with previous logs or data to see if this is a known pattern or a new threat.