Also available as:

Next Steps

Through this brief analysis we uncovered something that looks suspicious. So far we have leveraged only the geo-enriched Bro telemetry. From here, we can start to explore other sources of telemetry to better understand the scope and overall exposure. Continue to investigate our suspicions with the other sources of telemetry available in Metron.

  • Try loading the Snort data and see if any alerts were triggered.

  • Load the flow telemetry and see what other internal assets have been exposed to this suspicious actor.

  • If an internal asset has been compromised, investigate the compromised asset's activity to uncover signs of internal reconnaissance or lateral movement.