Detection rules › Kusto Query Language
Port scan detected (ASIM Network Session schema)
'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a port scanner is trying to identify open ports in order to penetrate a system. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1046 Network Service Discovery |
Event coverage
Stages and Predicates
Stage 1: source
_Im_NetworkSession
Stage 2: where
macro "(ipv4_is_private(SrcIpAddr) == false)"
Stage 3: where
not
SrcIpAddr in ["127.0.0.1", "::1"]
Stage 4: summarize
Stage 5: where
AttemptedPortsCount gt "PortScanThreshold"
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | src_ip | in | 127.0.0.1, ::1 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AttemptedPortsCount | gt |
|