I'm setting up the SIEM feature on kibana and one of my use cases is to detect network scans using nmap or any other tool. After digging on the community I've found the following threshold rule:
event.category: (network or network_traffic) and not destination.ip: 127.0.0.1
source.ip, destination ip >= 1
destination.port >= 10
Whenever I perform a network scan using nmap on my PC, the rule seems to detect the scan, the problem is that the results are being displayed as if I've scanned only a single IP address instead of the whole VLAN. also, when I perform the scan to a single IP address, it does not seems to detect it.
Any ideas of what it could be ? I've tried many different scenarios but the result is the same.
Has anyone faced something like this ?
PS: I've tried with a machine learning job as well but I'm not quite convinced with the results