Potential Network Sweep Detected

Last updated 3 days ago on 2025-02-28

Created 2 years ago on 2023-05-17

About

This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule defines a threshold-based approach to detect multiple connection attempts from a single host to numerous destination hosts over commonly used network services.

Tags

Domain: NetworkTactic: DiscoveryTactic: ReconnaissanceUse Case: Network Security MonitoringData Source: PAN-OSLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Network Service Discovery (T1046)(opens in a new tab or window)

Reconnaissance (TA0043)(opens in a new tab or window)

↳ Active Scanning (T1595)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Threshold Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

packetbeat-*filebeat-*logs-network_traffic.*logs-panw.panos*

Related Integrations

network_traffic(opens in a new tab or window)

panw(opens in a new tab or window)

Query

event.action:network_flow and destination.port:(21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)

Install detection rules in Elastic Security

Detect Potential Network Sweep Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).