Network IOC Scanning

What is Network IOC Scanning?

Network IOC Scanning monitors your organization's network connections against known malicious infrastructure. When a device connects to a known command & control (C2) server, malware distribution site, or other threat infrastructure, the system immediately detects and alerts.

Why Network IOC Scanning Matters

• Early Detection: Identify compromised systems before data exfiltration
• Automated Monitoring: No manual log analysis required
• Comprehensive Coverage: 32,000+ malicious IPs monitored
• Fast Response: Detections create immediate alerts
• Context-Rich: Know which malware family is involved

How It Works

Scanning Process

┌─────────────────────────────────────┐
│     Network Connection Data          │
│  (From Discovery Scans)              │
└─────────────────┬───────────────────┘
                  │
                  ▼
┌─────────────────────────────────────┐
│     IOC Database Lookup              │
│  32,774 Malicious IPs                │
│  160 Malware Families                │
└─────────────────┬───────────────────┘
                  │
                  ▼
┌─────────────────────────────────────┐
│     Match Detection                  │
│  IP + Port + Malware Association     │
└─────────────────┬───────────────────┘
                  │
                  ▼
┌─────────────────────────────────────┐
│     Security Event Created           │
│  With Full Context & Severity        │
└─────────────────────────────────────┘

Optimized Detection

Tripl-i uses a reverse lookup approach for maximum performance:

1. Extract all known malicious IPs from threat intelligence
2. Query network connections for matches in batches
3. Complete scan of 32,000+ IOCs in approximately 5 seconds

This approach is significantly faster than checking each connection individually.

Running a Scan

Automatic Scanning

Network IOC scanning runs automatically as part of the regular discovery process:

1. Discovery agent collects network connection data
2. Data is processed through the scan pipeline
3. IOC check runs as part of blacklist processing
4. Any matches create security events

On-Demand Scanning

To run a manual IOC scan:

1. Navigate to Security → Network Scanning
2. Select the tenant/organization to scan
3. Click Run IOC Scan
4. View results in the scan history

Understanding Results

Clean Scan

When no malicious connections are found:

✅ No malicious IP connections found. Network is clean!

Scan Summary:
- Connections Analyzed: 105,006
- Malicious IPs Checked: 32,774
- Matches Found: 0
- Scan Duration: 5.08 seconds

Detection Found

When a malicious connection is detected:

⚠️ MALICIOUS CONNECTIONS DETECTED!

[Cobalt Strike] 47.95.207.79:443
  Host: WORKSTATION-001
  Process: svchost.exe
  Connections: 12
  First Seen: 2026-01-04 10:23:45

Detection Details

What Gets Detected

Detection Type	Description
C2 Communication	Connection to command & control servers
Malware Download	Connection to malware distribution sites
Data Exfiltration	Unusual outbound connections to known bad IPs
Botnet Participation	Communication with botnet infrastructure

Information Provided

Each detection includes:

• Affected Host: Which server/workstation has the connection
• Remote IP:Port: The malicious destination
• Malware Family: What threat is associated (Cobalt Strike, Remcos, etc.)
• Process Name: What process established the connection
• Connection Count: How many times this connection was observed
• Severity: Based on the malware type (Critical/High/Medium/Low)

Responding to Detections

Immediate Actions

1. Verify the Detection: Confirm the connection exists on the host
2. Assess the Process: Is it a legitimate process or unknown?
3. Check User Activity: Was this user action or automated?
4. Isolate if Critical: Consider network isolation for confirmed C2

Investigation Steps

1. Review the affected host in CMDB
2. Check for related security events
3. Examine process execution history
4. Review network connection patterns
5. Document findings and actions taken

Escalation Criteria

Severity	Escalation
Critical (Ransomware, C2)	Immediate incident response
High (RAT, Backdoor)	Security team review within 1 hour
Medium (Suspicious)	Security team review within 24 hours
Low (Monitoring)	Weekly review

Integration with CMDB

Asset Context

Detections are linked to Configuration Items (CIs):

• View all details about the affected host
• See installed software and services
• Review network relationships
• Check compliance status

Impact Analysis

Understand the blast radius:

• What services depend on this host?
• What data is accessible from this system?
• Who are the users of this workstation?
• What is the business criticality?

Performance Considerations

Scan Performance

Metric	Typical Value
IOCs Checked	32,774
Batch Size	5,000 IPs
Total Batches	7
Scan Duration	~5 seconds

Network Connection Volume

Environment Size	Connections	Scan Time
Small (50 hosts)	~10,000	~2 seconds
Medium (200 hosts)	~50,000	~3 seconds
Large (1000 hosts)	~250,000	~10 seconds

Best Practices

Regular Scanning

• Enable automatic scanning during discoveries
• Run on-demand scans after security incidents
• Schedule full scans during low-activity periods

Alert Configuration

• Route critical detections to on-call staff
• Send high-severity to security team channels
• Log medium/low for daily review

False Positive Management

Some detections may be false positives due to:

• Shared hosting infrastructure
• IP address reuse after cleanup
• CDN or cloud provider associations

For confirmed false positives:

1. Document the reason
2. Add exclusion to the policy
3. Continue monitoring the host

Frequently Asked Questions

Q: How often should I run IOC scans? A: Automatic scanning during discoveries is recommended. Additional on-demand scans can be run after incidents or security concerns.

Q: What if my network is air-gapped? A: Air-gapped networks won't have external C2 connections, but internal lateral movement could still be detected if threat actors bring their own infrastructure.

Q: Can I export detection results? A: Yes, export to CSV or PDF from the scan results page for reporting and documentation.

Q: What's the difference between this and my firewall? A: Firewalls block connections; IOC scanning detects connections that already occurred, identifying potentially compromised systems even if the connection succeeded.

Related Topics

• Software Policies - Configure detection policies
• Threat Intelligence - Understand IOC sources
• Security Events - Respond to detections