Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
20 Minutes |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.
This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network.
Attacker's Goals
Scan a known external facing asset to gain knowledge about the organization.
Investigative actions
- Verify that the domain doesn't host numerous subdomains.
- Verify that the source of the scan is not a known external scanner.