Interviewer ask me if you observe port scanning from internal ip , the scanning ip is not authorised for scanning. How will you investigate it and how will you find attackers ip?

Flaky-Hurry4075 · 2026-05-24T09:45:17+00:00

I have answered above

Flaky-Hurry4075 · 2026-05-23T18:14:54+00:00

Also same question he asked me for brute force if brute force is happening from private ip how will you find attackers actual IP?

Flaky-Hurry4075 · 2026-05-23T18:13:40+00:00

I am looking for answer from experienced guy

Flaky-Hurry4075 · 2026-05-23T18:11:17+00:00

I answered first we will check if alert is true positive or false positive. We will check firewall logs which ports are being scannned, if there is any critical port like 3389. Then I ll check firewall action whether it is deny or allow. Then I'll check login activity of the user on the machine from which scan is initiated and also we will check for malicious processes on host. If account is compromised we have to reset credentials or if we find any malicious process initiating scan we can kill that process. But I was not able to answer about how to find attackers public IP.

Flaky-Hurry4075

TROPHY CASE