security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update discovery_potential_port_scan_detected.toml (#5571)

Browse Source
This commit is contained in:
Jonhnathan
2026-01-16 23:21:12 -03:00
committed by GitHub
parent 31de1789c4
commit 58b0d8e553
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/discovery_potential_port_scan_detected.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/05/17"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2025/12/17"
updated_date = "2026/01/16"
[rule]
author = ["Elastic"]
@@ -46,7 +46,7 @@ from logs-network_traffic.*, packetbeat-*, logs-panw.panos*
Esql.values_destination_ports = VALUES(destination.port),
Esql.values_sensitive_ports = VALUES(destination.port) where sensitive_port == true
by Esql.time_window, destination.ip, source.ip
| where (Esql.count_distinct_destination_ports >= 50 or Esql.values_sensitive_ports >= 5)
| where (Esql.count_distinct_destination_ports >= 50 or Esql.count_distinct_sensitive_ports >= 5)
| keep source.ip, destination.ip, Esql.*
'''
note = """## Triage and analysis