Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an "app = incomplete" designation. The server resets coupled with an "Incomplete" app designation can be an indication of internal to external port scanning or probing attack. References: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK https://knowledgebase.paloaltonetworks.com/KCSArticleDetail
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Azure Cloud NGFW By Palo Alto Networks |
| ID | 5b72f527-e3f6-4a00-9908-8e4fee14da9f |
| Severity | Low |
| Status | Available |
| Kind | Scheduled |
| Tactics | Discovery |
| Techniques | T1046 |
| Required Connectors | AzureCloudNGFWByPaloAltoNetworks |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
CommonSecurityLog |
✓ | ✓ | ? |
fluentbit_CL 🔶 |
? | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Azure Cloud NGFW By Palo Alto Networks