Basic Scanning

Description

Looks for hosts that reach out to more than 500 hosts, or more than 500 ports in a short period of time, indicating scanning.


Use Case

Security Monitoring

Category

Scanning

Security Impact

Scanning is a way for attackers to discover the attack surface of your organization (effectively, perform discovery), so they can prepare for an attack, or prepare for the next phase of an attack. It should only ever happen from authorized sources (e.g., vulnerability scanners) internally, and if someone else is doing scanning, you should know about it!

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Discovery

MITRE ATT&CK Techniques

Network Service Scanning
Remote System Discovery

MITRE Threat Groups

APT3
APT32
APT39
APT41
BRONZE BUTLER
Cobalt Group
Deep Panda
Dragonfly 2.0
FIN5
FIN6
FIN8
Ke3chang
Leafminer
OilRig
Soft Cell
Suckfly
Threat Group-3390
Tropic Trooper
Turla
menuPass

Kill Chain Phases

Reconnaissance

Data Sources

Network Communication

   How to Implement

This search should work out of the box with Palo Alto Networks firewalls, and with any other device that uses the Splunk common information model. Just make sure you use a Splunk Add-on that maps them to the Common Information Model (search on Splunkbase!)

   Known False Positives

The greatest source of false positives for this example are not really false positives. If you have external logs where hosts on the internet are port scanning your public infrastructure, it is definitely scanning, but it's not something you can actually do anything about. Many environments will add the following to their search strings:

| search srcip = 10.0.0.0/8 OR srcip=172.16.0.0/12 OR src_ip=192.168.0.0/16 OR [your public ranges]
You will also likely benefit from excluding any vulnerability scanners in your environment, as you pay them to scan the network.

   How To Respond

When scanning is occurring from an internal source, it's usually an indication that a host is infected and you need to start an incident response response to understand how and with what. When scanning occurs from outside sources, you probably don't care at all, because it's so difficult to do any meaningful response -- many people will add a filter to this search to exclude those (see Known False Positives).

   Help

Basic Scanning Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Palo Alto Networks logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for PAN or the Common Information Model.

SPL for Basic Scanning

Demo Data

First we bring in our basic demo dataset, Firewall Logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the same hour.
Next, stats gives us the distinct count (aka unique count) of ips and ports that were used per source IP, per hour.
Finally we can filter for more than 1000 src_ips or dest_ports.

Live Data

First we bring in our basic dataset, Firewall Logs, from the last hour.
Next, stats gives us the distinct count (aka unique count) of ips and ports that were used per source IP.
Finally we can filter for more than 1000 src_ips or dest_ports.

Accelerated Data

First we bring in our basic dataset, Firewall Logs, from the last hour via our accelerated data model, and get our the distinct count (aka unique count) of ips and ports that were used per source IP.
Finally we can filter for more than 1000 src_ips or dest_ports.

Screenshot of Demo Data