[Population Job]: port scanner

Hello everybody,

I would like to create a machine learning job to detect port scanner
so I have configured my job like that:

Job Type: Population
Population field: destination.ip
Add metric: Distinct count(destination.port)
Influencers: I have tried source.ip alone and then destination.ip alone and then both of them

and I got a result like that:

The problem is that I am getting just the destination.ip

for me I would like to know the source.ip which is scanning my machines and the destination.ip to know which machine is scanned.

Could you please tell me how I have to configure my Machine Learning job

Thanks

1 Like

The config, and having both source.ip and destination.ip as influencers also is recommended. If you're not seeing certain source.ips showing up as influencers, then basically that means that there isn't a significant single IP that is dominating and exhibiting that kind of behavior. If a certain destination.ip has a highly unusual number of ports being scanned, then it is not unimaginable that many source.ips did that.

You could contrive an anomaly that you want to detect by allowing the ML job to learn for a while, then artificially created a port scan from a single device and see if the anomaly is reported as you expect.

1 Like

I changed the index and I tried it with the packetbeat-* index and then scanned a machine where packetbeat is installed, and the machine learninig job worked perfectly

I think that the job didn't work with my firewall logs cause there are a lot of machine that are scanning my network, so the job is learninig while the machines are scanning, so it will consider that as a normal trafic :frowning: