Nmap scans for sensors
Arctic Wolf Sensor use the open-source technology Nmap to identify hosts in your environment.
Sensors perform Nmap scans in order to identify the devices initiating the flow and traffic the sensor is monitoring. By enabling these scans, a device profile can be built for each asset identified, creating an internal inventory of devices on each subnet. Nmap scans improve internal platform analysis, reporting, and alerting. Arctic Wolf uses the device inventory created from these scans to provide additional context in investigations and incidents. Sensors only perform basic discovery and open port scans and do not perform intensive port enumeration and network vulnerability tests.
- This is the first time we have seen the IP address.
- The IP address has been inactive for an hour.
- The previous scan was 8 hours ago.
- The previous scan never completed.
- An unknown error occurred with previous scans occurred.
- Hostname
- IP and MAC address
- OS
- Open ports on the device
- Device class, for example, desktop, server, switch, or router
By default, Nmap scanning is disabled when a sensor is provisioned. If Nmap scans are enabled, sensors scan and identify internal devices based on observed network activity. Nmap scans provide context on internal devices to enhance Arctic Wolf alerts. To enable Nmap scanning, contact your Concierge Security® Team(CST) at security@arcticwolf.com.
Network impact
Nmap scans typically have a very low impact on your network.
Scanning certain devices can cause unintended behavior, such as network performance issues, increased traffic volume, unusual device reporting, and excessive device logging. We recommend testing against certain devices to check performance impacts before adopting widespread scanning.
- Printers, especially large scale printers
- Medical devices
- Internet-of-Things (IOT) devices
- Scanners
- Voice over Internet Protocol (VoIP) phones
- SQL Server
- Uninterruptible Power Supplies (UPSs)
- Mainframes
- Small network appliances
- ATMs
- HVAC systems
- ESXi servers
Note: Scanning these servers might lock you out and force you to restart their management service.
- Legacy hardware lacks the CPU overhead and memory management required to process aggressive or continuous vulnerability scans, for example, end-of-life routers, factory sensors, and older programmable logic controllers (PLCs)