Abnormal SMB scanning activity to multiple hosts

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-11-12

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	20 Minutes
Deduplication Period	2 Days
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic	Reconnaissance (TA0043)
ATT&CK Technique	Active Scanning (T1595)
Severity	Informational

Description

An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services.
Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

Variations

Highly rare SMB scanning activity to multiple hosts

Synopsis

ATT&CK Tactic	Reconnaissance (TA0043)
ATT&CK Technique	Active Scanning (T1595)
Severity	Low

Description

An endpoint performed a new, and highly rare, SMB scanning activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services.
Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

Highly rare SMB scanning activity to multiple hosts

Synopsis

ATT&CK Tactic	Reconnaissance (TA0043)
ATT&CK Technique	Active Scanning (T1595)
Severity	Low

Description

An endpoint performed a new, and highly rare SMB scanning activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services.
Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

Abnormal SMB scanning activity to multiple hosts

Synopsis

ATT&CK Tactic	Reconnaissance (TA0043)
ATT&CK Technique	Active Scanning (T1595)
Severity	Low

Description

An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services.
Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

Abnormal SMB scanning activity to multiple hosts

Synopsis

ATT&CK Tactic	Reconnaissance (TA0043)
ATT&CK Technique	Active Scanning (T1595)
Severity	Low

Description

An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services.
Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.