Nmap scans for sensors

Arctic Wolf Sensors use the open-source technology Nmap to identify hosts in your environment.

Note: This information is about sensors used with the Managed Detection and Response (MDR) service. For information about how Managed Risk Scanners use Nmap scans, see Managed Risk Scanner functionality.

Sensors perform Nmap scans in order to identify the devices initiating the flow and traffic the sensor is monitoring. By enabling these scans, a device profile can be built for each asset identified, creating an internal inventory of devices on each subnet. Nmap scans improve internal platform analysis, reporting, and alerting. Arctic Wolf uses the device inventory created from these scans to provide additional context in investigations and incidents. Sensors only perform basic discovery and open port scans and do not perform intensive port enumeration and network vulnerability tests.

Nmap scans occur when:
  • This is the first time we have seen the IP address.
  • The IP address has been inactive for an hour.
  • The previous scan was 8 hours ago.
  • The previous scan never completed.
  • An unknown error occurred with previous scans occurred.
Nmap scans collect this information about a device:
  • Hostname
  • IP and MAC address
  • OS
  • Open ports on the device
  • Device class, for example, desktop, server, switch, or router

By default, Nmap scanning is disabled when a sensor is provisioned. If Nmap scans are enabled, sensors scan and identify internal devices based on observed network activity. Nmap scans provide context on internal devices to enhance Arctic Wolf alerts. To enable Nmap scanning, contact your Concierge Security® Team (CST) at security@arcticwolf.com.

Network impact

Nmap scans typically have a very low impact on your network.

However, scanning some devices can cause unintended behavior, such as network performance issues, increased traffic volume, unusual device reporting, and excessive device logging. As a result, Arctic Wolf recommends scanning only workstations and servers.

We recommend that you avoid scanning these devices:
  • Printers, especially large scale printers
  • Medical devices
  • Internet-of-Things (IOT) devices
  • Scanners
  • Voice over Internet Protocol (VoIP) phones
  • SQL Server
  • Uninterruptible Power Supplies (UPSs)
  • Mainframes
  • Small network appliances
  • Old devices that likely were not built to handle frequent scanning activity
  • ESXi servers
    Note: Scanning these servers might lock you out and force you to restart their management service.
  • HVAC systems
  • ATMs
To exclude these devices from Nmap scanning, contact your CST at security@arcticwolf.com to adjust your denylist. We can enable Nmap scanning individual subnets or enable it network-wide with an exclusion list.
Note: Sensors can also use a light scan that provides less information, but reduces the likelihood of issues. Contact your CST to determine the right approach for your environment.