Network Monitoring

In this article

The ESA Activity Monitoring rules for monitoring network activity are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf.

Network Rules

The rules in this section detect suspicious behavior related to network operations.

  • Suspicious network target names
  • PowerShell outbound network connections
  • Suspicious outbound Kerberos connections
  • PowerShell remoting
  • Detect network connects from suspicious sources
  • Detect network connects from Windows processes
  • Detect network connects from third party tools
  • RDP connects from non-RDP software indicating lateral movement
  • Detect network connects to suspicious ports
  • Detect network connects to 80 and 443 from non-browser applications

Leave a Reply

Your email address will not be published. Required fields are marked *