Network Scan

How should I write Elastic rule that detect if more than 10 unique destinations were accessed from same source IP within 1 minutes.

Best Regards

Hi @Gurban , this would be a very straightforward threshold rule. It would look something like this:

Let me know if you need help with anything else.

if I want to convert this rule to a port scan rule then I have to change destination.ip to destination.port in the count field?

That's right! You might also want to exclude some IPs in the query bar, such as 127.0.0.1/localhost etc.

Last question. What if I want to write these rules with EQL ? I need example.

It's not possible at the moment. We cannot perform unique aggregations with EQL.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.