Portscanning and Broadscanning
The Portscanning and Broadscanning Detectors identify attempts by a threat actor to search assets in your environment for open ports that might present attack opportunities. They do this by attempting to open a connection from one machine to another, and if the connection succeeds, then the port is open.
There are two subversions of this activity:
- Portscanning looks for many open ports of interest on a single asset.
- Broadscanning looks for many portscan activities on a large number of assets.
These detectors process streams of netflow data and look for the combinations of events that match the threshold criteria.
Portscanning Alert
Broadscanning Alert
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
- Netflow
Events are filtered to match the following criteria:
- Source and destination addresses are internal or loopback
- Set of important destination ports
Inputs ⫘
Detections are from the following normalized sources:
- Netflow
Outputs ⫘
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category ⫘
- MITRE Enterprise ATT&CK - Reconnaissance - Gather Victim Network Information. For more information, see MITRE Technique T1590.
- MITRE Enterprise ATT&CK - Reconnaissance - Active Scanning. For more information, see MITRE Technique T1595.
Detector Testing ⫘
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
FROM alert WHERE metadata.creator.detector.detector_id='app:detect:portscanning'
FROM alert WHERE metadata.creator.detector.detector_id='app:detect:broadscanning'
References ⫘
- Schemas