Threat Checks
info
The product name for this user guide has changed from Foundation and Cloudscape to Business Service Discovery and Migration Planning. Previous UI pages known as Foundation have changed to Business Service Discovery. Previous UI pages known as CloudScape have changed to Migration Planning.
Threat Checks are a series of checks that are run nightly on every assessment. Threat Checks contribute to a device's Threat Level differently depending on their Check Impact. We list the Check Impact classification in the Threat Checks table. Basically, it takes more checks with low impacts to increase Threat Level than checks with High impacts.
| Check name | Impact | Description |
|---|---|---|
| Device received connection from high-risk area | High | On day of check, device reported a TCP/IP connection where the IP geolocated to a high-risk area AND was the source of the connection |
| Device initiated connection to high-risk area | On day of check, device reported a TCP/IP connection where the IP geolocated to a high-risk area AND was the Destination of the connection. | |
| Device initiated connection to known anonymous proxy | High | On day of check, device reported a TCP/IP connection where the IP geolocated to a known anonymous proxy where the proxy was the destination of the connection. |
| Device received connection from known anonymous proxy | High | On day of check, device reported a TCP/IP connection where the IP geolocated to a known anonymous proxy where the proxy was the source of the connection. |
| Device started receiving connections from the Internet | Medium | On day of check, device reported a TCP/IP connection to a public IP address where the public address is the source of the connection AND no public IP address connection as the source was previously reported. |
| Device started reaching out to Internet | Low | On day of check, device reported a TCP/IP connection to a public IP address where the public address is the destination of the connection AND no public IP address connection as the destination was previously reported. |
| Device receives connections from the Internet | Medium | On day of check, device reported a TCP/IP connection to a public IP address. |
| Vulnerable package running | Medium | On day of check, device reported an executable that mapped to an installed package that was found to have a vulnerability. |
| Vulnerable package communicating | Medium | On day of check, device reported an executable in its TCP/IP connectivity that mapped to an installed package that was found to have a vulnerability. |
| Vulnerable package installed | Low | On day of check, device reported an installed package that was found to have a vulnerability. |
| New Listening Process | Low | On day of check, device reported a new listening process that did not exist on the previous day. |
| New Installed Software | Low | On day of check, device reported new software installed that did not exist on the previous day. |
| New Running Process | Low | On day of check, device reported new process running that did not exist on the previous day. |
| Unused Listening Process | Low | On day of check, device reported a listening process to which no connections were observed in the previous 30 days. |