Network scan

TheMadmax · April 25, 2023, 9:01am

Hello,

I try to create a rule to detect a network scan.

For example, generate an alert if more than 10 unique destinations have been accessed from the same source IP within 1 minute.

but I don't see how to indicate the 1min in a threshold rule for example

Kind regards

vitaliidm · April 27, 2023, 12:10pm

Hey @TheMadmax! Welcome to Elastic community!

You are right, there is no time interval within a threshold rule configuration.

But I believe, playing with rule schedule interval could achieve the result for your use case: Create a detection rule | Elastic Security Solution [8.7] | Elastic

For example by setting rule interval to 1m

Thanks, Vitalii

TheMadmax · April 27, 2023, 12:39pm

Ok,I suspected a little, thanks !

system · May 25, 2023, 12:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Network Scan SIEM detection-rules	6	606	February 9, 2023
SIEM - Network scan SIEM	4	1864	August 19, 2022
Threshold security rule SIEM	9	156	August 12, 2024
Elastic SIEM - Detection Rules - Multiple Thresholds in a Rule Elastic Security	1	306	March 5, 2021
Threshold detection not working with group by SIEM elastic-stack-alerting	3	785	June 28, 2021