I'm setting up the SIEM feature on kibana and one of my use cases is to detect network scans using nmap or any other tool. After digging on the community I've found the following threshold rule:
Query: event.category: (network or network_traffic) and not destination.ip: 127.0.0.1
Group by: source.ip, destination ip >= 1
Count: destination.port >= 10
Timestamp override: event.ingested
Whenever I perform a network scan using nmap on my PC, the rule seems to detect the scan, the problem is that the results are being displayed as if I've scanned only a single IP address instead of the whole VLAN. also, when I perform the scan to a single IP address, it does not seems to detect it.
Any ideas of what it could be ? I've tried many different scenarios but the result is the same.
Has anyone faced something like this ?
PS: I've tried with a machine learning job as well but I'm not quite convinced with the results
That rule you've set up is for a port scan, not network scan. It is designed to work when only one address is scanned for 10 or more ports.
if you want to change that to a network scan, you will need to add the destination.ip to the count field, not destination.port.
Count is performing a unique count - so keep that in mind for these type of rules. So, in the use case I described above, it would only trigger if a source IP is scanning/accessing 10 or more unique destination IP addresses.
The Group by fields are just a standard count, not unique.
Network scanning is a procedure for identifying active devices on a network by employing a feature or features in the network protocol to signal devices and await a response.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.