04-13-2023 01:43 AM
Hello,
Can you please help with co- relation rule for detecting one host scanning multiple ports
Regards,
Shashank
04-13-2023 10:35 PM
Hi,
You can probably use this, please see below:
Correlation Alert Rule Query:
config case_sensitive = false
| preset = network_story
| filter action_remote_port < 1025 //You can increase this number according to your needs but port range till 1025 will be good enough.
| fields agent_hostname as Hostname, action_local_ip as SRC_IP, action_remote_ip as DST_IP, action_remote_port as DST_Port
| comp count_distinct(DST_Port) as Counter by Hostname, SRC_IP, DST_IP
| filter Counter > 25 //Adjust the counter value according to your needs.
For alert drill down, please use below:
config case_sensitive = false
| dataset = xdr_data
| filter action_local_ip = $SRC_IP and action_remote_ip = $DST_IP
| fields agent_hostname as Hostname, action_local_ip, action_remote_ip, action_remote_port, actor_process_image_name, actor_process_command_line, actor_effective_username, actor_process_image_path
Please let us know the outcome.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
