The 'New Server Detected' ARO is based on data acquired from the Field Effect MDR network sensor.
The analytic monitors for internet accessible services outside of ports 80, 443 and 3389 and is accomplished by reviewing established TCP connections, and validating if the client IP address is outside of the expected range for the network.
There can be false positives with this ARO in situations where the client IP for the connection is a public IP for the network, or when there is a VPN connection to another trusted network.
In order to reduce those cases, maintaining an up-to-date list of your organization's public IPs in the Field Effect Portal is helpful. When IPs are added to the Portal, they get validated by an analyst and tagged in the Field Effect MDR appliance. This ARO is typically issued as an Observation, as it is meant to give you awareness of your threat surface, and ensure that only minimal services are exposed.
If the service is required and expected, you can dismiss those AROs to update your monitoring profile and suppress future reporting for that port on that server.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article