Potential Network Scan Detected

  1[metadata]
  2creation_date = "2023/05/17"
  3integration = ["network_traffic", "panw"]
  4maturity = "production"
  5updated_date = "2025/02/28"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a
 11target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By
 12mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining
 13unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further
 14exploitation of the targeted system or network. This rule defines a threshold-based approach to detect connection
 15attempts from a single source to a wide range of destination ports.
 16"""
 17from = "now-9m"
 18index = ["logs-network_traffic.*", "packetbeat-*", "filebeat-*", "logs-panw.panos*"]
 19language = "kuery"
 20license = "Elastic License v2"
 21max_signals = 5
 22name = "Potential Network Scan Detected"
 23risk_score = 21
 24rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
 25severity = "low"
 26tags = [
 27    "Domain: Network",
 28    "Tactic: Discovery",
 29    "Tactic: Reconnaissance",
 30    "Use Case: Network Security Monitoring",
 31    "Data Source: PAN-OS",
 32    "Resources: Investigation Guide"
 33]
 34timestamp_override = "event.ingested"
 35type = "threshold"
 36
 37query = '''
 38event.action:network_flow and destination.port:* and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 39'''
 40note = """## Triage and analysis
 41
 42> **Disclaimer**:
 43> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 44
 45### Investigating Potential Network Scan Detected
 46
 47Network scanning is a technique used to identify open ports and services on a network, often exploited by attackers to find vulnerabilities. Adversaries may use this method to map out a network's structure and identify weak points for further exploitation. The detection rule identifies suspicious activity by monitoring for multiple connection attempts from a single source to numerous destination ports, indicating a potential scan. This helps in early detection and mitigation of reconnaissance activities.
 48
 49### Possible investigation steps
 50
 51- Review the source IP address involved in the alert to determine if it belongs to a known or trusted entity within the organization. Check if the IP falls within the specified ranges: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
 52- Analyze the network flow logs to identify the specific destination ports that were targeted by the source IP. Determine if these ports are associated with critical services or known vulnerabilities.
 53- Correlate the detected activity with any recent changes or updates in the network infrastructure that might explain the scanning behavior, such as new devices or services being deployed.
 54- Investigate if there are any other alerts or logs indicating similar scanning activities from the same source IP or other IPs within the same subnet, which might suggest a coordinated scanning effort.
 55- Check for any historical data or past incidents involving the source IP to assess if this behavior is part of a recurring pattern or a new anomaly.
 56- Consult with network administrators to verify if the detected activity aligns with any scheduled network assessments or security tests that might have been conducted without prior notification.
 57
 58### False positive analysis
 59
 60- Internal network scanning tools used for legitimate security assessments can trigger this rule. To manage this, create exceptions for known IP addresses of authorized scanning tools.
 61- Automated network monitoring systems that check service availability across multiple ports may be flagged. Exclude these systems by identifying their IP addresses and adding them to an exception list.
 62- Load balancers and network devices that perform health checks on various services might cause false positives. Identify these devices and configure the rule to ignore their IP addresses.
 63- Development and testing environments where frequent port scanning is part of routine operations can be mistakenly flagged. Implement exceptions for these environments by specifying their IP ranges.
 64- Regularly scheduled vulnerability assessments conducted by internal security teams can appear as network scans. Document these activities and exclude the associated IPs from triggering the rule.
 65
 66### Response and remediation
 67
 68- Isolate the affected host: Immediately disconnect the source IP from the network to prevent further scanning or potential exploitation of identified vulnerabilities.
 69- Conduct a thorough investigation: Analyze the source IP's activity logs to determine if any unauthorized access or data exfiltration has occurred. This will help assess the extent of the threat.
 70- Update firewall rules: Implement stricter access controls to limit the number of open ports and restrict unnecessary inbound and outbound traffic from the affected IP range.
 71- Patch and update systems: Ensure all systems and services identified during the scan are up-to-date with the latest security patches to mitigate known vulnerabilities.
 72- Monitor for recurrence: Set up enhanced monitoring for the source IP and similar scanning patterns to quickly detect and respond to any future scanning attempts.
 73- Escalate to security operations: If the scan is part of a larger attack or if sensitive data is at risk, escalate the incident to the security operations team for further analysis and response.
 74- Review and enhance detection capabilities: Evaluate the effectiveness of current detection mechanisms and consider integrating additional threat intelligence sources to improve early detection of similar threats."""
 75
 76[[rule.threat]]
 77framework = "MITRE ATT&CK"
 78
 79[[rule.threat.technique]]
 80id = "T1046"
 81name = "Network Service Discovery"
 82reference = "https://attack.mitre.org/techniques/T1046/"
 83
 84[rule.threat.tactic]
 85id = "TA0007"
 86name = "Discovery"
 87reference = "https://attack.mitre.org/tactics/TA0007/"
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91
 92[[rule.threat.technique]]
 93id = "T1595"
 94name = "Active Scanning"
 95reference = "https://attack.mitre.org/techniques/T1595/"
 96
 97[[rule.threat.technique.subtechnique]]
 98id = "T1595.001"
 99name = "Scanning IP Blocks"
100reference = "https://attack.mitre.org/techniques/T1595/001/"
101
102[rule.threat.tactic]
103id = "TA0043"
104name = "Reconnaissance"
105reference = "https://attack.mitre.org/tactics/TA0043/"
106
107[rule.threshold]
108field = ["destination.ip", "source.ip"]
109value = 1
110
111[[rule.threshold.cardinality]]
112field = "destination.port"
113value = 250