Query Details
04 CSL Port Scan Detection
Query
id: d4e5f6a7-b8c9-4d0e-1f2a-3b4c5d6e7f8a
name: "Firewall Port Scan Detection - Vertical and Horizontal Sweeps"
version: 1.0.0
kind: Scheduled
description: |
Detects network reconnaissance activity by identifying source IPs that contact more than
30 unique destination ports (vertical/port sweep) or more than 50 unique destination IPs
(horizontal/host sweep) within a 1-hour window. Both patterns indicate active network
mapping or exploitation preparation.
MITRE ATT&CK: T1046 (Network Service Discovery)
severity: Medium
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T1046
query: |
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where isnotempty(SourceIP) and isnotempty(DestinationIP)
| summarize
UniqueDestPorts = dcount(DestinationPort),
UniqueDestIPs = dcount(DestinationIP),
TotalAttempts = count(),
Actions = make_set(DeviceAction, 5),
Protocols = make_set(Protocol, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DeviceVendor
| where UniqueDestPorts > 30 or UniqueDestIPs > 50
| extend ScanType = case(
UniqueDestPorts > 30 and UniqueDestIPs <= 10, "Vertical Scan (port sweep)",
UniqueDestIPs > 50 and UniqueDestPorts <= 5, "Horizontal Scan (host sweep)",
"Combined Scan")
| order by UniqueDestPorts desc, UniqueDestIPs desc
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
customDetails:
UniqueDestPorts: UniqueDestPorts
UniqueDestIPs: UniqueDestIPs
TotalAttempts: TotalAttempts
alertDetailsOverride:
alertDisplayNameFormat: "Port Scan Detected - {{SourceIP}} hit {{UniqueDestPorts}} ports"
alertDescriptionFormat: "Source {{SourceIP}} targeted {{UniqueDestIPs}} IPs across {{UniqueDestPorts}} unique ports. Possible network reconnaissance activity."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT3H
matchingMethod: Selected
groupByEntities:
- IP
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect suspicious network activity, specifically port scans, which can indicate potential reconnaissance or exploitation attempts on a network. Here's a simplified breakdown:
-
Purpose: The query identifies source IP addresses that are scanning a network by contacting either more than 30 unique destination ports (vertical scan) or more than 50 unique destination IPs (horizontal scan) within a one-hour period. These activities are often associated with network mapping or preparation for an attack.
-
Data Source: It uses data from the
CommonSecurityLog, focusing on logs from vendors like Fortinet, Palo Alto Networks, and Zscaler. -
Detection Logic:
- It looks at logs from the past hour.
- It counts the number of unique destination ports and IPs contacted by each source IP.
- If a source IP contacts more than 30 unique ports or more than 50 unique IPs, it flags this as suspicious.
-
Scan Type Identification:
- If more than 30 unique ports are contacted, it's labeled a "Vertical Scan."
- If more than 50 unique IPs are contacted, it's labeled a "Horizontal Scan."
- If both conditions are met, it's a "Combined Scan."
-
Alerting:
- An alert is generated if any suspicious activity is detected.
- The alert includes details like the source IP, the number of unique ports, and IPs contacted.
- The alert is formatted to highlight the source IP and the nature of the scan.
-
Incident Management:
- If an alert is triggered, an incident is created.
- Incidents can be grouped by source IP to manage related alerts together.
Overall, this query helps security teams identify and respond to potential reconnaissance activities on their network, which is a critical step in preventing more serious security breaches.
Details
David Alonso
Released: March 2, 2026
Tables
Keywords
Operators