Network scan


I try to create a rule to detect a network scan.

For example, generate an alert if more than 10 unique destinations have been accessed from the same source IP within 1 minute.

but I don't see how to indicate the 1min in a threshold rule for example

Kind regards

Hey @TheMadmax! Welcome to Elastic community!

You are right, there is no time interval within a threshold rule configuration.

But I believe, playing with rule schedule interval could achieve the result for your use case: Create a detection rule | Elastic Security Solution [8.7] | Elastic

For example by setting rule interval to 1m

Thanks, Vitalii

Ok,I suspected a little, thanks !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.