Detection rules › Kusto
Network Port Sweep from External Network (ASIM Network Session schema)
This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1590 Gather Victim Network Information |
| Discovery | T1046 Network Service Discovery |
Event coverage
Rule body kusto
id: cd8faa84-4464-4b4e-96dc-b22f50c27541
name: Network Port Sweep from External Network (ASIM Network Session schema)
description: |
'This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any source which supports the ASIM Network Session schema.'
severity: High
status: Available
tags:
- Schema: ASimNetworkSessions
SchemaVersion: 0.2.4
requiredDataConnectors:
- connectorId: AWSS3
dataTypes:
- AWSVPCFlow
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftSysmonForLinux
dataTypes:
- Syslog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: AzureNSG
dataTypes:
- AzureDiagnostics
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: CiscoAsaAma
dataTypes:
- CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
- connectorId: AIVectraStream
dataTypes:
- VectraStream
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CiscoMeraki
dataTypes:
- Syslog
- CiscoMerakiNativePoller
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Reconnaissance
- Discovery
relevantTechniques:
- T1590
- T1046
query: |
let lookback = 1h;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback),endtime=now())
| where NetworkDirection == "Inbound"
| summarize make_set(DstIpAddr,100) by SrcIpAddr, DstPortNumber
| where array_length(set_DstIpAddr) > threshold
eventGroupingSettings:
aggregationKind: SingleAlert
customDetails:
AllDstIpAddr: set_DstIpAddr
alertDetailsOverride:
alertDisplayNameFormat: Network Port Sweep detected on {{DstPortNumber}}
alertDescriptionFormat: 'Network Port Sweep was detection by multiple IPs'
version: 1.0.5
kind: Scheduled
Stages and Predicates
Parameters
let lookback = 1h;
let threshold = 20;
Stage 1: source
_Im_NetworkSession(starttime=ago(lookback),endtime=now())
Stage 2: where
| where NetworkDirection == "Inbound"
Stage 3: summarize
| summarize make_set(DstIpAddr,100) by SrcIpAddr, DstPortNumber
Stage 4: where
| where array_length(set_DstIpAddr) > threshold
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
NetworkDirection | eq |
|
set_DstIpAddr | gt |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
DstPortNumber | summarize |
SrcIpAddr | summarize |