security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7693d785aad70787971432c9d7511e7166312921
sigma-rules/rules/network/discovery_potential_network_sweep_detected.toml
T
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30

78 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network,
identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses.
This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data
theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one
source host to 10 or more destination hosts on commonly used network services.
"""
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
name = "Potential Network Sweep Detected"
risk_score = 21
rule_id = "781f8746-2180-4691-890c-4c96d11ca91d"
severity = "low"
tags = [
"Domain: Network",
"Tactic: Discovery",
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring",
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"
[[rule.threat.technique.subtechnique]]
id = "T1595.001"
name = "Scanning IP Blocks"
reference = "https://attack.mitre.org/techniques/T1595/001/"
[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[rule.threshold]
field = ["source.ip"]
value = 1
[[rule.threshold.cardinality]]
field = "destination.ip"
value = 100
Reference in New Issue View Git Blame Copy Permalink