[Rule Tuning] Port Scan Rules (#4443)

elastic · Feb 5, 2025 · 32975e5 · 32975e5
1 parent f1dee06
commit 32975e5
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 39 deletions.
diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic", "panw"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,10 +11,10 @@ This rule identifies a potential network sweep. A network sweep is a method used
 identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses.
 This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data
 theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one
-source host to 10 or more destination hosts on commonly used network services.
+source host to 100 or more destination hosts on commonly used network services.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*"]
+index = ["packetbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
@@ -27,16 +27,14 @@ tags = [
     "Tactic: Discovery",
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
-    "Data Source: Elastic Defend",
     "Data Source: PAN-OS",
     "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"
-
 query = '''
-destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
-source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+event.action:network_flow and destination.port:(21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
+source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''
 note = """## Triage and analysis
 
@@ -80,32 +78,32 @@ Network sweeps are reconnaissance techniques where attackers scan networks to id
 
 - Document and report: Record all findings, actions taken, and lessons learned in an incident report to inform future response strategies and improve network defenses."""
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1046"
 name = "Network Service Discovery"
 reference = "https://attack.mitre.org/techniques/T1046/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1595"
 name = "Active Scanning"
 reference = "https://attack.mitre.org/techniques/T1595/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1595.001"
 name = "Scanning IP Blocks"
 reference = "https://attack.mitre.org/techniques/T1595/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0043"
 name = "Reconnaissance"
@@ -114,8 +112,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/"
 [rule.threshold]
 field = ["source.ip"]
 value = 1
+
 [[rule.threshold.cardinality]]
 field = "destination.ip"
 value = 100
-
-
diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic", "panw"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,10 +12,10 @@ target system or network for open ports, allowing them to identify available ser
 mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining
 unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further
 exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from
-one source host to 20 or more destination ports.
+one source host to 250 or more destination ports.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*", "logs-panw.panos*"]
+index = ["logs-network_traffic.*", "packetbeat-*", "filebeat-*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
@@ -28,15 +28,14 @@ tags = [
     "Tactic: Discovery",
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
-    "Data Source: Elastic Defend",
     "Data Source: PAN-OS",
     "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"
 
 query = '''
-destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+event.action:network_flow and destination.port:* and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''
 note = """## Triage and analysis
 
@@ -74,32 +73,32 @@ Network scanning is a technique used to identify open ports and services on a ne
 - Escalate to security operations: If the scan is part of a larger attack or if sensitive data is at risk, escalate the incident to the security operations team for further analysis and response.
 - Review and enhance detection capabilities: Evaluate the effectiveness of current detection mechanisms and consider integrating additional threat intelligence sources to improve early detection of similar threats."""
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1046"
 name = "Network Service Discovery"
 reference = "https://attack.mitre.org/techniques/T1046/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1595"
 name = "Active Scanning"
 reference = "https://attack.mitre.org/techniques/T1595/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1595.001"
 name = "Scanning IP Blocks"
 reference = "https://attack.mitre.org/techniques/T1595/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0043"
 name = "Reconnaissance"
@@ -108,8 +107,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/"
 [rule.threshold]
 field = ["destination.ip", "source.ip"]
 value = 1
+
 [[rule.threshold.cardinality]]
 field = "destination.port"
 value = 250
-
-
diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic", "panw"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,10 +12,10 @@ target network for open ports by sending SYN packets to multiple ports and obser
 method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch
 targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading
 to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts
-from one source host to 10 or more destination ports using 2 or less packets per port.
+from one source host to 250 or more destination ports using 2 or less packets per port.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"]
+index = ["logs-network_traffic.*", "packetbeat-*", "filebeat-*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
@@ -28,15 +28,13 @@ tags = [
     "Tactic: Discovery",
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
-    "Data Source: Elastic Defend",
     "Data Source: PAN-OS",
     "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"
-
 query = '''
-destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+event.action:network_flow and destination.port:* and network.packets <= 2 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''
 note = """## Triage and analysis
 
@@ -74,32 +72,32 @@ SYN-based port scanning is a reconnaissance technique where attackers send SYN p
 - Update intrusion detection and prevention systems to enhance detection capabilities for similar SYN-based port scanning activities.
 - Review and update network segmentation policies to limit the exposure of critical services and systems to internal reconnaissance activities."""
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1046"
 name = "Network Service Discovery"
 reference = "https://attack.mitre.org/techniques/T1046/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1595"
 name = "Active Scanning"
 reference = "https://attack.mitre.org/techniques/T1595/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1595.001"
 name = "Scanning IP Blocks"
 reference = "https://attack.mitre.org/techniques/T1595/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0043"
 name = "Reconnaissance"
@@ -108,8 +106,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/"
 [rule.threshold]
 field = ["destination.ip", "source.ip"]
 value = 1
+
 [[rule.threshold.cardinality]]
 field = "destination.port"
 value = 250
-
-