Skip to main content

Network Monitoring

In this article

The ESA Activity Monitoring rules for monitoring network activity are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf.

Network Rules

The rules in this section detect suspicious behavior related to network operations.

  • Suspicious network target names
  • PowerShell outbound network connections
  • Suspicious outbound Kerberos connections
  • PowerShell remoting
  • Detect network connects from suspicious sources
  • Detect network connects from Windows processes
  • Detect network connects from third party tools
  • RDP connects from non-RDP software indicating lateral movement
  • Detect network connects to suspicious ports
  • Detect network connects to 80 and 443 from non-browser applications


Your email address will not be published. Required fields are marked *