co- relation rule for detecting one host scanning multiple ports

Showing results for 
Show  only  | Search instead for 
Did you mean: 

co- relation rule for detecting one host scanning multiple ports

L3 Networker



Can you please help with co- relation rule for detecting one host scanning multiple ports





L4 Transporter



Thank you for reaching LIVEcommunity.


I'm doing some research to look into this and will get back to you as soon as I can.


L3 Networker



You can probably use this, please see below:


Correlation Alert Rule Query:

config case_sensitive = false 
| preset = network_story 
| filter action_remote_port < 1025 //You can increase this number according to your needs but port range till 1025 will be good enough.
| fields agent_hostname as Hostname, action_local_ip as SRC_IP, action_remote_ip as DST_IP, action_remote_port as DST_Port
| comp count_distinct(DST_Port) as Counter by Hostname, SRC_IP, DST_IP 
| filter Counter > 25 //Adjust the counter value according to your needs.


For alert drill down, please use below:

config case_sensitive = false 
| dataset = xdr_data 
| filter action_local_ip = $SRC_IP and action_remote_ip = $DST_IP
| fields agent_hostname as Hostname, action_local_ip, action_remote_ip, action_remote_port, actor_process_image_name, actor_process_command_line, actor_effective_username, actor_process_image_path 


Please let us know the outcome.

Kind Regards
  • 2 replies
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!