Example: Internet bound SMB attempts

Discussion created by securitysavy on Feb 27, 2012

Attached is a correlation rule (the logic anyway) for alerting on internet bound SMB accesses, which may be indicitive of malware or policy violation.


Keep in mind you may trigger lots of alerts initially.  Customize as you need.