recently, i am monitoring traffic on stealthwatch and i found an ip link-local within. stealthwatch detected that is coming from inside network and it showed behavior like scanning tcp and SMB for file sharing to outside host and inside host. this ip have a connection to another outside ip bogon. please help me to investigate and determine what is this ip do ?
below here i attach pict of the event.
OK. Lots going on here.
You have defined two host groups: Link Local and Bogon Subnets
The inside IP 169.254.162.200 appears in both of those host groups.
You are seeing 4 different alarms: High SMB Peers, New Flows, Max flows, and Connect to Bogon.
The 'New Flows' should not normally be an issue. It just means a new device has started connecting over the network.
The 'Max flows' could be an issue. It means that you have a baseline set and that the source IP host is exceeding that baseline. That could be a start up issue with a new deployment (and ignored) OR it could mean that host is suddenly very active and should be investigated.
You have a 'High SMB Peers' alarm. That's the same as above. The baseline on a new install could be low. That could go away over the next days or weeks. In the meantime investigate what that host is doing.
The 'Connect to Bogon' means that some inside host is connecting to an external (outside) IP that has been identified as a Bogon. Bogon's are IP addresses that either should not or do not exist in public IP address space. That could be something that is built into a security event in your local SW or it could be coming from the Threat Intel feed or the Cognitive Threat Analytics. I don't know which you have configured.
In general you should investigate these Bogon connections and consider adding ACLs to either your Internet router or your Firewall to block those connections.
Hope this helps.