Potential Network Scan Detected
This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/17"
3integration = ["endpoint", "network_traffic", "panw"]
4maturity = "production"
5updated_date = "2024/09/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a
11target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By
12mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining
13unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further
14exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from
15one source host to 20 or more destination ports.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*", "logs-panw.panos*"]
19language = "kuery"
20license = "Elastic License v2"
21max_signals = 5
22name = "Potential Network Scan Detected"
23risk_score = 21
24rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
25severity = "low"
26tags = [
27 "Domain: Network",
28 "Tactic: Discovery",
29 "Tactic: Reconnaissance",
30 "Use Case: Network Security Monitoring",
31 "Data Source: Elastic Defend",
32 "Data Source: PAN-OS"
33]
34timestamp_override = "event.ingested"
35type = "threshold"
36
37query = '''
38destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1046"
46name = "Network Service Discovery"
47reference = "https://attack.mitre.org/techniques/T1046/"
48
49
50[rule.threat.tactic]
51id = "TA0007"
52name = "Discovery"
53reference = "https://attack.mitre.org/tactics/TA0007/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1595"
58name = "Active Scanning"
59reference = "https://attack.mitre.org/techniques/T1595/"
60[[rule.threat.technique.subtechnique]]
61id = "T1595.001"
62name = "Scanning IP Blocks"
63reference = "https://attack.mitre.org/techniques/T1595/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0043"
69name = "Reconnaissance"
70reference = "https://attack.mitre.org/tactics/TA0043/"
71
72[rule.threshold]
73field = ["destination.ip", "source.ip"]
74value = 1
75[[rule.threshold.cardinality]]
76field = "destination.port"
77value = 250
Related rules
- Potential Network Sweep Detected
- Potential SYN-Based Network Scan Detected
- Machine Learning Detected DGA activity using a known SUNBURST DNS domain
- Machine Learning Detected a DNS Request Predicted to be a DGA Domain
- Machine Learning Detected a DNS Request With a High DGA Probability Score