Potential Network Scan Detected
This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/17"
3integration = ["endpoint", "network_traffic"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a
11target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By
12mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining
13unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further
14exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from
15one source host to 20 or more destination ports.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"]
19language = "kuery"
20license = "Elastic License v2"
21max_signals = 5
22name = "Potential Network Scan Detected"
23risk_score = 21
24rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
25severity = "low"
26tags = [
27 "Domain: Network",
28 "Tactic: Discovery",
29 "Tactic: Reconnaissance",
30 "Use Case: Network Security Monitoring",
31]
32timestamp_override = "event.ingested"
33type = "threshold"
34
35query = '''
36destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1046"
44name = "Network Service Discovery"
45reference = "https://attack.mitre.org/techniques/T1046/"
46
47
48[rule.threat.tactic]
49id = "TA0007"
50name = "Discovery"
51reference = "https://attack.mitre.org/tactics/TA0007/"
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1595"
56name = "Active Scanning"
57reference = "https://attack.mitre.org/techniques/T1595/"
58[[rule.threat.technique.subtechnique]]
59id = "T1595.001"
60name = "Scanning IP Blocks"
61reference = "https://attack.mitre.org/techniques/T1595/001/"
62
63
64
65[rule.threat.tactic]
66id = "TA0043"
67name = "Reconnaissance"
68reference = "https://attack.mitre.org/tactics/TA0043/"
69
70[rule.threshold]
71field = ["destination.ip", "source.ip"]
72value = 1
73[[rule.threshold.cardinality]]
74field = "destination.port"
75value = 250
Related rules
- Potential Network Sweep Detected
- Potential SYN-Based Network Scan Detected
- Suspicious Network Tool Launched Inside A Container
- AWS EC2 Full Network Packet Capture Detected
- AWS EC2 Network Access Control List Creation