detection.wiki

Detection rules › Kusto Query Language

Network Port Sweep from External Network (ASIM Network Session schema)

Source
upstream

'This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema.'

MITRE ATT&CK coverage

TacticTechniques
ReconnaissanceT1590 Gather Victim Network Information
DiscoveryT1046 Network Service Discovery

Event coverage

ProviderEvent IDTitle
Sysmon3Network connection
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
Security-Auditing5158The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing5159The Windows Filtering Platform has blocked a bind to a local port.

Stages and Predicates

Stage 1: source

_Im_NetworkSession

Stage 2: where

NetworkDirection eq "Inbound"

Stage 3: summarize

Stage 4: where

 macro "(array_length(set_DstIpAddr) > threshold)"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
NetworkDirectioneq
  • Inbound