Potential Network Scan Detected
This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/17"
3integration = ["endpoint", "network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/01/05"
8
9[rule]
10author = ["Elastic"]
11description = '''
12This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a
13target system or network for open ports, allowing them to identify available services and potential vulnerabilities.
14By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining
15unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further
16exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts
17from one source host to 20 or more destination ports.
18'''
19from = "now-9m"
20index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"]
21language = "kuery"
22license = "Elastic License v2"
23max_signals = 5
24name = "Potential Network Scan Detected"
25risk_score = 21
26rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
27severity = "low"
28tags = ["Domain: Network",
29 "Tactic: Discovery",
30 "Tactic: Reconnaissance",
31 "Use Case: Network Security Monitoring"
32 ]
33type = "threshold"
34timestamp_override = "event.ingested"
35
36query = '''
37destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[[rule.threat.technique]]
44id = "T1046"
45name = "Network Service Discovery"
46reference = "https://attack.mitre.org/techniques/T1046/"
47
48[rule.threat.tactic]
49id = "TA0007"
50name = "Discovery"
51reference = "https://attack.mitre.org/tactics/TA0007/"
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55
56[[rule.threat.technique]]
57id = "T1595"
58name = "Active Scanning"
59reference = "https://attack.mitre.org/techniques/T1595/"
60
61[[rule.threat.technique.subtechnique]]
62id = "T1595.001"
63name = "Scanning IP Blocks"
64reference = "https://attack.mitre.org/techniques/T1595/001/"
65
66[rule.threat.tactic]
67id = "TA0043"
68name = "Reconnaissance"
69reference = "https://attack.mitre.org/tactics/TA0043/"
70
71[rule.threshold]
72field = ["destination.ip", "source.ip"]
73value = 1
74
75[[rule.threshold.cardinality]]
76field = "destination.port"
77value = 250
Related rules
- Potential Network Sweep Detected
- Potential SYN-Based Network Scan Detected
- Suspicious Network Tool Launched Inside A Container
- Unusual Discovery Signal Alert with Unusual Process Executable
- Attempt to Deactivate an Okta Network Zone