Internal Horizontal Port Scan

Status: production
Severity: medium
Group by: All_Traffic.rule, All_Traffic.transport, _time, dest_ip, destination_port, gtime, src_ip, transport
Author: Dean Luxton
Source: github.com/splunk/security_content

This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1046` Network Service Discovery

Rule body splunk

name: Internal Horizontal Port Scan
id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1
version: 14
creation_date: '2024-07-01'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: TTP
description: This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.
data_source:
    - AWS CloudWatchLogs VPCflow
    - Cisco Secure Firewall Threat Defense Connection Event
search: |-
    | tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port) as src_port count FROM datamodel=Network_Traffic
      WHERE All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
      BY All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip
         All_Traffic.transport All_Traffic.rule span=1s
         _time
    | `drop_dm_object_name("All_Traffic")`
    | eval gtime=_time
    | bin span=1h gtime
    | stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone
      BY src_ip dest_port gtime
         transport
    | where totalDestIPCount>=250
    | eval dest_port=transport + "/" + dest_port
    | stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone
      BY src_ip gtime
    | fields - gtime
    | `internal_horizontal_port_scan_filter`
how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to enable this search effectively.
known_false_positives: No false positives have been identified at this time.
references: []
drilldown_searches:
    - name: View the detection results for - "$src_ip$"
      search: '%original_detection_search% | search  src_ip = "$src_ip$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_ip$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs
    entity:
        field: dest_ports
        type: system
        score: 50
threat_objects:
    - field: src_ip
      type: ip_address
analytic_story:
    - Network Discovery
    - Cisco Secure Firewall Threat Defense Analytics
    - China-Nexus Threat Activity
    - Scattered Lapsus$ Hunters
asset_type: Endpoint
mitre_attack_id:
    - T1046
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: network
security_domain: network
tests:
    - name: AWS CloudWatch True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log
          source: aws:cloudwatchlogs:vpcflow
          sourcetype: aws:cloudwatchlogs:vpcflow
      test_type: unit
    - name: Cisco Secure Firewall True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer
      test_type: unit

Stages and Predicates

Stage 1: `tstats`

| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port) as src_port count FROM datamodel=Network_Traffic
  WHERE All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
  BY All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip
     All_Traffic.transport All_Traffic.rule span=1s
     _time

Stage 2: `search`

| `drop_dm_object_name("All_Traffic")`

Stage 3: `eval`

| eval gtime=_time

Stage 4: `bucket`

| bin span=1h gtime

Stage 5: `stats`

| stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone
  BY src_ip dest_port gtime
     transport

Stage 6: `where`

| where totalDestIPCount>=250

Stage 7: `eval`

| eval dest_port=transport + "/" + dest_port

Stage 8: `stats`

| stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone
  BY src_ip gtime

Stage 9: `fields`

| fields - gtime

Stage 10: `search`

| `internal_horizontal_port_scan_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`All_Traffic.src_ip`	in	`"10.0.0.0/8"` `"172.16.0.0/12"` `"192.168.0.0/16"`
`totalDestIPCount`	ge	`250`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Internal Horizontal Port Scan

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `eval`

Stage 4: `bucket`

Stage 5: `stats`

Stage 6: `where`

Stage 7: `eval`

Stage 8: `stats`

Stage 9: `fields`

Stage 10: `search`

Indicators

Keyboard shortcuts

Search operators

Internal Horizontal Port Scan

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: eval

Stage 4: bucket

Stage 5: stats

Stage 6: where

Stage 7: eval

Stage 8: stats

Stage 9: fields

Stage 10: search

Indicators

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `eval`

Stage 4: `bucket`

Stage 5: `stats`

Stage 6: `where`

Stage 7: `eval`

Stage 8: `stats`

Stage 9: `fields`

Stage 10: `search`