External Recon for a block of IPs | Voters

External Recon for a block of IPs

Trent Boone

Ability to add a small customer IP block (a /28 for example), in order to monitor ALL of the IPs for open ports that belong to a client AND provide a monthly summary report of open ports to the customer and/or MSP vendor. Also highlight any new port changes in the summary report.

December 11, 2020

Matthiew Morin (Huntress)

Merged in a post:

Alert for Sketchy Public Services

Wolfgang Estgfaeller

I need a feature that alerts me if sketchy services are made publicly available by my clients, such as when dangerous firewall rules are created. This would help in monitoring and managing potential security risks more effectively.

3 days ago

Matthiew Morin (Huntress)

Merged in a post:

Manual Addition of IPs to External Recon

Wolfgang Estgfaeller

I want to be able to manually add IPs one by one to the External Recon service. This would help in cases where IPs are not automatically detected due to lack of DNS entries or being hidden behind proxies or NATs.

3 days ago

Matthiew Morin (Huntress)

Merged in a post:

Add Subnet to External IP Addresses List

Wolfgang Estgfaeller

I would like the ability to manually add a subnet to the list of external IP addresses in the External Recon solution. Currently, the solution only contains a fragment of the public IPs and services, and I believe having this feature would enhance its functionality.

3 days ago

Matthiew Morin (Huntress)

Hi Wolfgang Estgfaeller, does the External Recon capability meet your needs for this? You can find it in the left-hand navigation by hovering over the "EDR" option and then selecting External Recon.

This will show you any publicly accessible ports associated with the Public IP addresses that your EDR agents are connecting from.

Wolfgang Estgfaeller

Matthiew Morin (Huntress)
Hi Matthiew, sorry for the late reply.
It should be possible to add subnets/IP ranges to the External Recon feature.
I had a discussion about this with an agent some time ago. If I’m not mistaken, I was told this isn’t possible because you only collect public IPs from connecting EDR agents.
This approach isn’t sufficient for us, as clients typically access the internet using other IPs, while hosted services are tied to different ones.

Matthiew Morin (Huntress)

Wolfgang Estgfaeller: great, thanks for that feedback!

I'm going to merge this post into an existing one that covers that same request so it's easier for us to track.

Robert Dana

Merged in a post:

External Recon - Specify company owned IPs and IP blocks

Kris Cears

With so many agents checking-in from home networks, it would be nice if we could specify at the organization level IPs or IP blocks in use at company locations. Then on the External Recon page, differentiate those somehow so we can prioritize investigations appropriately without a bunch of extra investigative effort.

February 29, 2024

Tanner Stine

I think it would be good to bring attention brought back to this topic. This may be more attainable since External Recon is now referencing Shodan.

Julienne'la Harvey'la

I signed on today to make just such a suggestion! Would also like to get alert emails based on new results, but only on the specified IPs!

Kent Behrends

Most of my clients have sub-nets from two providers. Support contiguous network ranges.

Tom Strickland

Along these lines, I've love to see a "rescan" feature that we can use to confirm things are buttoned up after adjusting firewall rules. As it is, we have to wait for Shodan to make another pass, which could be a while.

And, yes, I know we can do our own test with telnet but I'd prefer and trust 3rd party testing as being more complete.

Alvina'la Okuneva'la

Yes, this would be great!

→