# tcpnull

**Explanation**

The tcpnull event is designed to detect NULL TCP flows. NULL TCP flows are packets that have no flags set, and are often used by attackers to scan networks for potential vulnerabilities. This event uses the Netography Detection Method (NDM) to detect NULL TCP flows, which is based on statistical analysis of network traffic.

**What to Look For**

If this event is triggered, it means that there are NULL TCP flows on your network. You should examine the results of the event to determine if these flows are legitimate or potentially malicious. Look for patterns of traffic that may indicate a scanning or reconnaissance activity. Check endpoints for any suspicious processes or connections related to the traffic. If there is evidence of malicious activity, take steps to remediate the issue and implement additional security measures to prevent future attacks.

**Related MITRE ATT\&CK Categories**

[Discovery: Network Service Discovery, Technique T1046 - Enterprise](https://attack.mitre.org/techniques/T1046)

[Reconnaissance: Active Scanning, Technique T1595 - Enterprise](https://attack.mitre.org/techniques/T1595)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/informational/tcpnull.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.