T1595 Active Scanning Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceAction in~ ("Deny", "Drop", "Block", "Reject", "deny", "drop", "block", "reject")
| where isnotempty(SourceIP) and SourceIP !startswith "10." and SourceIP !startswith "192.168." and SourceIP !startswith "172."
| where DestinationPort > 0
| summarize
    UniqueDestPorts = dcount(DestinationPort),
    UniqueDestIPs = dcount(DestinationIP),
    TotalAttempts = count(),
    PortsTargeted = make_set(DestinationPort, 50),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    DeviceVendor = any(DeviceVendor),
    DeviceProduct = any(DeviceProduct)
    by SourceIP, bin(TimeGenerated, 5m)
| where UniqueDestPorts >= 10 or (UniqueDestIPs >= 5 and TotalAttempts >= 30)
| extend
    ScanType = case(
        UniqueDestPorts >= 20, "Aggressive Port Scan",
        UniqueDestPorts >= 10, "Port Scan",
        UniqueDestIPs >= 10, "IP Block Sweep",
        UniqueDestIPs >= 5, "Limited IP Sweep",
        "Suspicious Probe"
    ),
    ScanDurationSeconds = datetime_diff('second', LastSeen, FirstSeen),
    AttemptsPerMinute = TotalAttempts / max_of(datetime_diff('minute', LastSeen, FirstSeen), 1)
| project
    TimeGenerated,
    SourceIP,
    ScanType,
    UniqueDestPorts,
    UniqueDestIPs,
    TotalAttempts,
    AttemptsPerMinute,
    PortsTargeted,
    ScanDurationSeconds,
    FirstSeen,
    LastSeen,
    DeviceVendor,
    DeviceProduct
| order by TotalAttempts desc

medium severity medium confidence

Data Sources

Firewall IDS/IPS Network Security Appliances

Required Tables

CommonSecurityLog

False Positives

Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs

Splunk

spl

index=* (sourcetype="cisco:asa" OR sourcetype="pan:traffic" OR sourcetype="paloalto:firewall" OR sourcetype="juniper:junos:firewall" OR sourcetype="fortinet:fortigate:traffic" OR sourcetype="checkpoint:firewall")
(action=denied OR action=dropped OR action=blocked OR action=reset OR action="deny" OR action="drop")
| search NOT (src_ip="10.*" OR src_ip="192.168.*" OR src_ip="172.16.*" OR src_ip="172.17.*" OR src_ip="172.18.*" OR src_ip="172.19.*" OR src_ip="172.2*" OR src_ip="172.30.*" OR src_ip="172.31.*")
| bin _time span=5m
| stats
    dc(dest_port) as unique_dest_ports,
    dc(dest_ip) as unique_dest_ips,
    count as total_attempts,
    min(_time) as first_seen,
    max(_time) as last_seen,
    values(dest_port) as ports_targeted
    by src_ip _time
| where unique_dest_ports >= 10 OR (unique_dest_ips >= 5 AND total_attempts >= 30)
| eval scan_duration_sec = last_seen - first_seen
| eval attempts_per_min = round(total_attempts / max(scan_duration_sec / 60, 1), 2)
| eval scan_type = case(
    unique_dest_ports >= 20, "Aggressive Port Scan",
    unique_dest_ports >= 10, "Port Scan",
    unique_dest_ips >= 10, "IP Block Sweep",
    unique_dest_ips >= 5, "Limited IP Sweep",
    1==1, "Suspicious Probe"
  )
| eval first_seen_readable = strftime(first_seen, "%Y-%m-%d %H:%M:%S")
| eval last_seen_readable = strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - total_attempts
| table _time, src_ip, scan_type, unique_dest_ports, unique_dest_ips, total_attempts, attempts_per_min, ports_targeted, first_seen_readable, last_seen_readable

medium severity medium confidence

Data Sources

Cisco ASA Palo Alto Firewall Fortinet FortiGate Check Point Firewall Juniper Firewall

Required Sourcetypes

cisco:asa pan:traffic fortinet:fortigate:traffic

False Positives

Authorized penetration testing engagements — verify with security team whether a pentest is in scope before escalating; request tester IP ranges in advance
External monitoring services (Pingdom, UptimeRobot, StatusCake) and CDN health probes that systematically check multiple ports to verify service availability
Misconfigured partner or vendor systems that have incorrect firewall rules and generate repeated blocked connection attempts that resemble scanning traffic

Elastic Security (EQL)

eql

// T1595 — Active Scanning
network where not source.ip : (
    "10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
    "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*",
    "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*",
    "172.30.*", "172.31.*", "192.168.*", "127.*"
  )
  and network.direction == "inbound"
  and event.action in ("denied", "dropped", "blocked")

medium severity medium confidence

Data Sources

Network Traffic Firewall Logs

Required Tables

logs-network_traffic.* logs-endpoint.events.network-*

False Positives

Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN NOT (INCIDR('10.0.0.0/8', sourceip) OR INCIDR('192.168.0.0/16', sourceip) OR INCIDR('172.16.0.0/12', sourceip)) AND "deviceaction" ILIKE '%deny%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (NOT (INCIDR('10.0.0.0/8', sourceip) OR INCIDR('192.168.0.0/16', sourceip) OR INCIDR('172.16.0.0/12', sourceip)) AND "deviceaction" ILIKE '%deny%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs

Sumo Logic CSE

sql

_sourceCategory=*firewall* OR _sourceCategory=*network*
| json auto
| where !(src_ip matches "10.*") and !(src_ip matches "192.168.*")
| timeslice 5m
| stats dcount(dest_port) as UniqueDestPorts, dcount(dest_ip) as UniqueDestHosts, count as TotalConns by _timeslice, src_ip
| where UniqueDestPorts >= 20 or UniqueDestHosts >= 15
| if(UniqueDestHosts >= 15 and UniqueDestPorts <= 5, "IP Block Sweep", if(UniqueDestPorts >= 20 and UniqueDestHosts <= 3, "Port Scan", "Full Network Scan")) as ScanType

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

network/firewall security/ids

False Positives

Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs

Google Chronicle / SecOps

yaral

rule t1595_active_scanning {
  meta:
    author = "df00tech"
    description = "Detects active scanning activity from external source IPs"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1595"
    confidence = "medium"
    severity = "medium"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.security_result.action = "BLOCK"
    not re.regex($e.principal.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
  match:
    $e.principal.ip over 5m
  condition:
    #e > 50
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_CONNECTION NETWORK_FLOW

False Positives

Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["NetworkConnectIP4", "NetworkConnectIP6"]
| not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy([RemoteAddressIP4], function=[count(as=TotalConns), count(field=RemotePort, distinct=true, as=UniqueDestPorts)])
| UniqueDestPorts >= 20 OR TotalConns >= 200
| case {
    UniqueDestPorts >= 50 => TechniqueLabel := "T1595 - FullNetworkScan";
    UniqueDestPorts >= 20 => TechniqueLabel := "T1595 - PortScan";
    * => TechniqueLabel := "T1595 - IPSweep"
  }
| table([@timestamp, RemoteAddressIP4, TotalConns, UniqueDestPorts, TechniqueLabel])

medium severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs

Active Scanning

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Reconnaissance

Popular Detections