
Summary
Detections identify inbound ICMP Timestamp (type 13) or ICMP Information (type 15) requests originating from external sources targeting internal RFC1918 addresses. The rule consumes ICMP telemetry from the network_traffic icmp data stream and flags events where the ICMP request type is 13 or 15, the destination IP is private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), and the source IP is not within common internal/reserved ranges (to minimize false positives from legitimate internal probes). This pattern is typically associated with host/path fingerprinting during reconnaissance or active scanning. MITRE ATT&CK mappings include T1018 Remote System Discovery (Discovery) and T1595 Active Scanning (Reconnaissance), with T1595.001 for Scanning IP Blocks. The rule has a risk_score of 21 and a severity of low. Setup requires ICMP telemetry via the network_traffic.icmp data stream. The rule is intended for network security monitoring and threat detection, with triage guidance, false-positive considerations, and remediation steps emphasizing perimeter controls, asset exposure checks, and enhanced monitoring for follow-on activity. false positives may arise from legacy monitoring or SLA probes; maintain validated exceptions for known sources. Response recommendations include blocking or rate-limiting unauthorized external sources and verifying internal hosts are not exposed to the Internet. The detection rule is designed as a network reconnaissance/scan indicator within a broader security operations workflow.
Categories
- Network
Data Sources
- Network Traffic
ATT&CK Techniques
- T1018
- T1595
- T1595.001
Created: 2026-06-25