# internal\_snmp\_sweep

**Explanation**

The internal\_snmp\_sweep is a detection model that identifies an SNMP sweep occurring in the network. The model triggers anytime a large number of SNMP requests are sent to different devices on the network.

**What to Look For**

When examining the results of the internal\_snmp\_sweep NDM, it is crucial to identify machines that may be authorized to do SNMP Sweeps on the network, such as network monitoring devices, and these devices should be added to the "Discard" in this NDM. Additionally, endpoint logs should be monitored to determine the source of the sweep. SNMP sweeps can be indicative of an attacker mapping out network topologies during the reconnaissance phase of an attack. It is important to identify these sweeps to prevent potential attacks later on.

**Related MITRE ATT\&CK Categories**

[Discovery: Network Service Discovery, Technique T1046 - Enterprise](https://attack.mitre.org/techniques/T1046)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/internal_snmp_sweep.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.