Firewall Port Scan Detection - Vertical and Horizontal Sweeps
04 CSL Port Scan Detection
Query
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where isnotempty(SourceIP) and isnotempty(DestinationIP)
| summarize
UniqueDestPorts = dcount(DestinationPort),
UniqueDestIPs = dcount(DestinationIP),
TotalAttempts = count(),
Actions = make_set(DeviceAction, 5),
Protocols = make_set(Protocol, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DeviceVendor
| where UniqueDestPorts > 30 or UniqueDestIPs > 50
| extend ScanType = case(
UniqueDestPorts > 30 and UniqueDestIPs <= 10, "Vertical Scan (port sweep)",
UniqueDestIPs > 50 and UniqueDestPorts <= 5, "Horizontal Scan (host sweep)",
"Combined Scan")
| order by UniqueDestPorts desc, UniqueDestIPs descExplanation
This query is designed to detect suspicious network activity, specifically port scans, which can indicate potential reconnaissance or exploitation attempts on a network. Here's a simplified breakdown:
-
Purpose: The query identifies source IP addresses that are scanning a network by contacting either more than 30 unique destination ports (vertical scan) or more than 50 unique destination IPs (horizontal scan) within a one-hour period. These activities are often associated with network mapping or preparation for an attack.
-
Data Source: It uses data from the
CommonSecurityLog, focusing on logs from vendors like Fortinet, Palo Alto Networks, and Zscaler. -
Detection Logic:
- It looks at logs from the past hour.
- It counts the number of unique destination ports and IPs contacted by each source IP.
- If a source IP contacts more than 30 unique ports or more than 50 unique IPs, it flags this as suspicious.
-
Scan Type Identification:
- If more than 30 unique ports are contacted, it's labeled a "Vertical Scan."
- If more than 50 unique IPs are contacted, it's labeled a "Horizontal Scan."
- If both conditions are met, it's a "Combined Scan."
-
Alerting:
- An alert is generated if any suspicious activity is detected.
- The alert includes details like the source IP, the number of unique ports, and IPs contacted.
- The alert is formatted to highlight the source IP and the nature of the scan.
-
Incident Management:
- If an alert is triggered, an incident is created.
- Incidents can be grouped by source IP to manage related alerts together.
Overall, this query helps security teams identify and respond to potential reconnaissance activities on their network, which is a critical step in preventing more serious security breaches.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1h
Period: 1h