Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.
Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | Traffic | None |
| Network Traffic Flow (DC0078) | Network Traffic | None |