# ICMP Scan

Identifying an ICMP (Internet Control Message Protocol) Scan is a critical aspect of network reconnaissance detection and overall cybersecurity. An ICMP scan, often used in the initial stages of network reconnaissance, involves sending ICMP echo request packets ("pings") to various hosts on a network to determine which ones are active. While ICMP is a standard network tool for diagnosing and managing network issues, its use in scanning can signal the preliminary phase of a more targeted attack, where attackers seek to identify potential vulnerabilities in active hosts. Detecting ICMP scans promptly is essential as it can be an early warning of an impending cyber attack, allowing network administrators to tighten security measures, monitor suspicious activities more closely, and protect vulnerable systems before they can be exploited.

ElastiFlow provides a collection of anomaly detection jobs designed to identify ICMP scans comprising a series of monitoring strategies and analytics techniques, focused on detecting unusual ICMP traffic patterns that are indicative of scanning activities.

## Attributes

| Attribute                       | Information                                                                           |
| ------------------------------- | ------------------------------------------------------------------------------------- |
| **Analysis Type**               | temporal                                                                              |
| **MITRE ATT\&CK Technique**     | [Network Denial of Service (T1498)](https://attack.mitre.org/techniques/T1498)        |
| **MITRE ATT\&CK Sub-Technique** | [Reflection Amplification (T1498.002)](https://attack.mitre.org/techniques/T1498/002) |
| **MITRE ATT\&CK Tactic**        | [Impact (TA0040)](https://attack.mitre.org/tactics/TA0040)                            |

## Downloads

| Schema    | Perspective  | Window   | Link                                                                                                                                                                                            |
| --------- | ------------ | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **CODEX** | **edge**     | **fast** | [elastiflow\_codex\_netsec\_icmp\_scan\_direct\_edge\_fast](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_edge_fast.json) |
| **CODEX** | **edge**     | **slow** | [elastiflow\_codex\_netsec\_icmp\_scan\_direct\_edge\_slow](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_edge_slow.json) |
| **CODEX** | **inbound**  | **fast** | [elastiflow\_codex\_netsec\_icmp\_scan\_direct\_in\_fast](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_in_fast.json)     |
| **CODEX** | **inbound**  | **slow** | [elastiflow\_codex\_netsec\_icmp\_scan\_direct\_in\_slow](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_in_slow.json)     |
| **CODEX** | **outbound** | **fast** | [elastiflow\_codex\_netsec\_icmp\_scan\_direct\_out\_fast](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_out_fast.json)   |
| **CODEX** | **outbound** | **slow** | [elastiflow\_codex\_netsec\_icmp\_scan\_direct\_out\_slow](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_out_slow.json)   |
| **CODEX** | **private**  | **fast** | [elastiflow\_codex\_netsec\_icmp\_scan\_direct\_priv\_fast](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_priv_fast.json) |
| **CODEX** | **private**  | **slow** | [elastiflow\_codex\_netsec\_icmp\_scan\_direct\_priv\_slow](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_priv_slow.json) |
| **ECS**   | **edge**     | **fast** | [elastiflow\_ecs\_netsec\_icmp\_scan\_direct\_edge\_fast](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_edge_fast.json)   |
| **ECS**   | **edge**     | **slow** | [elastiflow\_ecs\_netsec\_icmp\_scan\_direct\_edge\_slow](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_edge_slow.json)   |
| **ECS**   | **inbound**  | **fast** | [elastiflow\_ecs\_netsec\_icmp\_scan\_direct\_in\_fast](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_in_fast.json)       |
| **ECS**   | **inbound**  | **slow** | [elastiflow\_ecs\_netsec\_icmp\_scan\_direct\_in\_slow](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_in_slow.json)       |
| **ECS**   | **outbound** | **fast** | [elastiflow\_ecs\_netsec\_icmp\_scan\_direct\_out\_fast](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_out_fast.json)     |
| **ECS**   | **outbound** | **slow** | [elastiflow\_ecs\_netsec\_icmp\_scan\_direct\_out\_slow](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_out_slow.json)     |
| **ECS**   | **private**  | **fast** | [elastiflow\_ecs\_netsec\_icmp\_scan\_direct\_priv\_fast](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_priv_fast.json)   |
| **ECS**   | **private**  | **slow** | [elastiflow\_ecs\_netsec\_icmp\_scan\_direct\_priv\_slow](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_recon/netsec_icmp_scan_direct_priv_slow.json)   |

By implementing this suite of anomaly detection jobs, organizations can effectively monitor and swiftly identify ICMP scanning activities. Early detection of such reconnaissance activities is crucial in pre-emptively addressing potential cybersecurity threats, allowing for timely and appropriate defensive actions to protect the network infrastructure.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://elastiflow.gitbook.io/docs/elastiflow-documentation/data-platforms/elastic/ml/network-security-recon/icmp-scan.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.