title: Network Scans
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
logsource:
    type: firewall
detection:
    selection:
        log: network
        action: denied
    timeframe: 24h
    condition:
        - selection | count(dst_port) > 10 by src_ip
        - selection | count(dst_ip) > 10 by src_ip
falsepositives:
    - Inventarization systems
    - Vulnerability scans
    - Penetration testing activity
level: medium