Detectionhightest
OpenCanary - NTP Monlist Request
Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
opencanaryapplication
Productopencanary← raw: opencanary
Categoryapplication← raw: application
Detection Logic
Detection Logic1 selector
detection:
selection:
logtype: 11001
condition: selectionFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
7cded4b3-f09e-405a-b96f-24248433ba44
Status
test
Level
high
Type
Detection
Created
Fri Mar 08
Author
Path
rules/application/opencanary/opencanary_ntp_monlist.yml
Raw Tags
attack.impactattack.t1498