Network Scan

How should I write Elastic rule that detect if more than 10 unique destinations were accessed from same source IP within 1 minutes.

Best Regards

Hi @Gurban , this would be a very straightforward threshold rule. It would look something like this:

Let me know if you need help with anything else.

if I want to convert this rule to a port scan rule then I have to change destination.ip to destination.port in the count field?

That's right! You might also want to exclude some IPs in the query bar, such as 127.0.0.1/localhost etc.

Last question. What if I want to write these rules with EQL ? I need example.

It's not possible at the moment. We cannot perform unique aggregations with EQL.