security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e125a4e4cf6f6d67daa8076a4c259ed02bc9dd3f
sigma-rules/rules/network/discovery_potential_network_sweep_detected.toml
T
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2024-01-17 14:14:38 -05:00

77 lines
2.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/05"
[rule]
author = ["Elastic"]
description = '''
This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target
network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and
weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized
access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts
from one source host to 10 or more destination hosts on commonly used network services.
'''
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
name = "Potential Network Sweep Detected"
risk_score = 21
rule_id = "781f8746-2180-4691-890c-4c96d11ca91d"
severity = "low"
tags = ["Domain: Network",
"Tactic: Discovery",
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring"
]
type = "threshold"
timestamp_override = "event.ingested"
query = '''
destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"
[[rule.threat.technique.subtechnique]]
id = "T1595.001"
name = "Scanning IP Blocks"
reference = "https://attack.mitre.org/techniques/T1595/001/"
[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[rule.threshold]
field = ["source.ip"]
value = 1
[[rule.threshold.cardinality]]
field = "destination.ip"
value = 100
Reference in New Issue View Git Blame Copy Permalink