SIEM - Network scan

Hi guys!

I'm setting up the SIEM feature on kibana and one of my use cases is to detect network scans using nmap or any other tool. After digging on the community I've found the following threshold rule:

Query: event.category: (network or network_traffic) and not destination.ip:

Group by: source.ip, destination ip >= 1
Count: destination.port >= 10
Timestamp override: event.ingested

Whenever I perform a network scan using nmap on my PC, the rule seems to detect the scan, the problem is that the results are being displayed as if I've scanned only a single IP address instead of the whole VLAN. also, when I perform the scan to a single IP address, it does not seems to detect it.

Any ideas of what it could be ? I've tried many different scenarios but the result is the same.

Has anyone faced something like this ?

PS: I've tried with a machine learning job as well but I'm not quite convinced with the results


Hi @ldmontoya ,

That rule you've set up is for a port scan, not network scan. It is designed to work when only one address is scanned for 10 or more ports.

if you want to change that to a network scan, you will need to add the destination.ip to the count field, not destination.port.

Count is performing a unique count - so keep that in mind for these type of rules. So, in the use case I described above, it would only trigger if a source IP is scanning/accessing 10 or more unique destination IP addresses.

The Group by fields are just a standard count, not unique.

Hope this helps.



Thank you for your suggestion, unfortunately somehow the rule is unable to detect the scan. I've been trying with different ways too.


Network scanning is a procedure for identifying active devices on a network by employing a feature or features in the network protocol to signal devices and await a response.

Rachel Gomez

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.