Potential Network Scan Detected

edit

This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.

Rule type: threshold

Rule indices:

  • logs-endpoint.events.network-*
  • logs-network_traffic.*
  • packetbeat-*
  • filebeat-*
  • auditbeat-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Network
  • Tactic: Discovery
  • Tactic: Reconnaissance
  • Use Case: Network Security Monitoring

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)

Framework: MITRE ATT&CKTM