co- relation rule for detecting one host scanning multiple ports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

co- relation rule for detecting one host scanning multiple ports

L3 Networker

Hello,

 

Can you please help with co- relation rule for detecting one host scanning multiple ports

 

Regards,

Shashank

2 REPLIES 2

L4 Transporter

Hi, 

 

Thank you for reaching LIVEcommunity.

 

I'm doing some research to look into this and will get back to you as soon as I can.

 

L3 Networker

Hi,

 

You can probably use this, please see below:

 

Correlation Alert Rule Query:

config case_sensitive = false 
| preset = network_story 
| filter action_remote_port < 1025 //You can increase this number according to your needs but port range till 1025 will be good enough.
| fields agent_hostname as Hostname, action_local_ip as SRC_IP, action_remote_ip as DST_IP, action_remote_port as DST_Port
| comp count_distinct(DST_Port) as Counter by Hostname, SRC_IP, DST_IP 
| filter Counter > 25 //Adjust the counter value according to your needs.

 

For alert drill down, please use below:

config case_sensitive = false 
| dataset = xdr_data 
| filter action_local_ip = $SRC_IP and action_remote_ip = $DST_IP
| fields agent_hostname as Hostname, action_local_ip, action_remote_ip, action_remote_port, actor_process_image_name, actor_process_command_line, actor_effective_username, actor_process_image_path 

 

Please let us know the outcome.

Kind Regards
KS
  • 933 Views
  • 2 replies
  • 0 Likes
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!