Query Details

Firewall Port Scan Detection - Vertical and Horizontal Sweeps

04 CSL Port Scan Detection

Query

CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where isnotempty(SourceIP) and isnotempty(DestinationIP)
| summarize
    UniqueDestPorts = dcount(DestinationPort),
    UniqueDestIPs   = dcount(DestinationIP),
    TotalAttempts   = count(),
    Actions         = make_set(DeviceAction, 5),
    Protocols       = make_set(Protocol, 5),
    FirstSeen       = min(TimeGenerated),
    LastSeen        = max(TimeGenerated)
  by SourceIP, DeviceVendor
| where UniqueDestPorts > 30 or UniqueDestIPs > 50
| extend ScanType = case(
    UniqueDestPorts > 30 and UniqueDestIPs <= 10, "Vertical Scan (port sweep)",
    UniqueDestIPs   > 50 and UniqueDestPorts <= 5, "Horizontal Scan (host sweep)",
    "Combined Scan")
| order by UniqueDestPorts desc, UniqueDestIPs desc

Explanation

This query is designed to detect suspicious network activity, specifically port scans, which can indicate potential reconnaissance or exploitation attempts on a network. Here's a simplified breakdown:

  1. Purpose: The query identifies source IP addresses that are scanning a network by contacting either more than 30 unique destination ports (vertical scan) or more than 50 unique destination IPs (horizontal scan) within a one-hour period. These activities are often associated with network mapping or preparation for an attack.

  2. Data Source: It uses data from the CommonSecurityLog, focusing on logs from vendors like Fortinet, Palo Alto Networks, and Zscaler.

  3. Detection Logic:

    • It looks at logs from the past hour.
    • It counts the number of unique destination ports and IPs contacted by each source IP.
    • If a source IP contacts more than 30 unique ports or more than 50 unique IPs, it flags this as suspicious.
  4. Scan Type Identification:

    • If more than 30 unique ports are contacted, it's labeled a "Vertical Scan."
    • If more than 50 unique IPs are contacted, it's labeled a "Horizontal Scan."
    • If both conditions are met, it's a "Combined Scan."
  5. Alerting:

    • An alert is generated if any suspicious activity is detected.
    • The alert includes details like the source IP, the number of unique ports, and IPs contacted.
    • The alert is formatted to highlight the source IP and the nature of the scan.
  6. Incident Management:

    • If an alert is triggered, an incident is created.
    • Incidents can be grouped by source IP to manage related alerts together.

Overall, this query helps security teams identify and respond to potential reconnaissance activities on their network, which is a critical step in preventing more serious security breaches.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDiscoveryNetworkServiceIPAddressSourceIPDestinationIPDeviceVendorDeviceActionProtocolTimeGenerated

Operators

ago()in()isnotempty()summarizedcount()count()make_set()min()max()byorextendcase()order by

Severity

Medium

Tactics

Discovery

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub