Potential Network Scan Detected

Last updated 3 days ago on 2025-02-28

Created 2 years ago on 2023-05-17

About

This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule defines a threshold-based approach to detect connection attempts from a single source to a wide range of destination ports.

Tags

Domain: NetworkTactic: DiscoveryTactic: ReconnaissanceUse Case: Network Security MonitoringData Source: PAN-OSLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Network Service Discovery (T1046)(opens in a new tab or window)

Reconnaissance (TA0043)(opens in a new tab or window)

↳ Active Scanning (T1595)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Threshold Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-network_traffic.*packetbeat-*filebeat-*logs-panw.panos*

Related Integrations

network_traffic(opens in a new tab or window)

panw(opens in a new tab or window)

Query

event.action:network_flow and destination.port:* and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)

Install detection rules in Elastic Security

Detect Potential Network Scan Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).