id: cd8faa84-4464-4b4e-96dc-b22f50c27541 name: Network Port Sweep from External Network (ASIM Network Session schema) description: | 'This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any source which supports the ASIM Network Session schema.' severity: High status: Available tags: - Schema: ASimNetworkSessions SchemaVersion: 0.2.4 requiredDataConnectors: - connectorId: AWSS3 dataTypes: - AWSVPCFlow - connectorId: MicrosoftThreatProtection dataTypes: - DeviceNetworkEvents - connectorId: SecurityEvents dataTypes: - SecurityEvent - connectorId: WindowsSecurityEvents dataTypes: - SecurityEvent - connectorId: WindowsForwardedEvents dataTypes: - WindowsEvent - connectorId: Zscaler dataTypes: - CommonSecurityLog - connectorId: MicrosoftSysmonForLinux dataTypes: - Syslog - connectorId: PaloAltoNetworks dataTypes: - CommonSecurityLog - connectorId: AzureMonitor(VMInsights) dataTypes: - VMConnection - connectorId: AzureFirewall dataTypes: - AzureDiagnostics - connectorId: AzureNSG dataTypes: - AzureDiagnostics - connectorId: CiscoASA dataTypes: - CommonSecurityLog - connectorId: CiscoAsaAma dataTypes: - CommonSecurityLog - connectorId: Corelight dataTypes: - Corelight_CL - connectorId: AIVectraStream dataTypes: - VectraStream - connectorId: CheckPoint dataTypes: - CommonSecurityLog - connectorId: Fortinet dataTypes: - CommonSecurityLog - connectorId: CiscoMeraki dataTypes: - Syslog - CiscoMerakiNativePoller queryFrequency: 1h queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 tactics: - Reconnaissance - Discovery relevantTechniques: - T1590 - T1046 query: | let lookback = 1h; let threshold = 20; _Im_NetworkSession(starttime=ago(lookback),endtime=now()) | where NetworkDirection == "Inbound" | summarize make_set(DstIpAddr,100) by SrcIpAddr, DstPortNumber | where array_length(set_DstIpAddr) > threshold eventGroupingSettings: aggregationKind: SingleAlert customDetails: AllDstIpAddr: set_DstIpAddr alertDetailsOverride: alertDisplayNameFormat: Network Port Sweep detected on {{DstPortNumber}} alertDescriptionFormat: 'Network Port Sweep was detection by multiple IPs' version: 1.0.5 kind: Scheduled