T1595.001 Scanning IP Blocks Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Branch 1: Inbound IP block scanning detected via perimeter firewall logs (CommonSecurityLog)
let ScanThresholdPorts = 20;
let ScanThresholdHosts = 15;
let WindowMinutes = 5;
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where SourceIP !startswith "10."
    and SourceIP !startswith "192.168."
    and SourceIP !startswith "172.16."
    and SourceIP !startswith "172.17."
    and SourceIP !startswith "172.18."
    and SourceIP !startswith "172.19."
    and SourceIP !startswith "172.20."
    and SourceIP !startswith "172.21."
    and SourceIP !startswith "172.22."
    and SourceIP !startswith "172.23."
    and SourceIP !startswith "172.24."
    and SourceIP !startswith "172.25."
    and SourceIP !startswith "172.26."
    and SourceIP !startswith "172.27."
    and SourceIP !startswith "172.28."
    and SourceIP !startswith "172.29."
    and SourceIP !startswith "172.30."
    and SourceIP !startswith "172.31."
    and SourceIP !startswith "127."
    and isnotempty(SourceIP)
| summarize
    UniqueDestPorts = dcount(DestinationPort),
    UniqueDestHosts = dcount(DestinationIP),
    TotalConnections = count(),
    DestinationPorts = make_set(DestinationPort, 50),
    SampledDestHosts = make_set(DestinationIP, 20),
    EarliestEvent = min(TimeGenerated),
    LatestEvent = max(TimeGenerated),
    DeviceVendor = any(DeviceVendor),
    DeviceProduct = any(DeviceProduct)
  by SourceIP, bin(TimeGenerated, WindowMinutes * 1m)
| where UniqueDestPorts >= ScanThresholdPorts or UniqueDestHosts >= ScanThresholdHosts
| extend ScanType = case(
    UniqueDestHosts >= ScanThresholdHosts and UniqueDestPorts <= 5, "IP Block Sweep (ping/single-port)",
    UniqueDestPorts >= ScanThresholdPorts and UniqueDestHosts <= 3, "Port Scan (single host)",
    UniqueDestHosts >= ScanThresholdHosts and UniqueDestPorts >= ScanThresholdPorts, "Full Network Scan",
    "Unknown Scan Pattern"
  )
| extend ScanDurationSeconds = datetime_diff('second', LatestEvent, EarliestEvent)
| project TimeGenerated, SourceIP, ScanType, UniqueDestPorts, UniqueDestHosts,
          TotalConnections, ScanDurationSeconds, DestinationPorts, SampledDestHosts,
          DeviceVendor, DeviceProduct
| sort by UniqueDestHosts desc, UniqueDestPorts desc
// Branch 2: Scan tool execution on internal endpoints (lateral movement / compromised host pivot)
| union (
    DeviceProcessEvents
    | where Timestamp > ago(1h)
    | where FileName in~ ("nmap", "nmap.exe", "masscan", "masscan.exe", "zmap", "unicornscan",
                          "hping3", "hping3.exe", "netdiscover", "fping", "fping.exe",
                          "angry_ip_scanner.exe", "ipscan.exe", "advanced_ip_scanner.exe")
        or ProcessCommandLine has_any ("nmap ", "masscan ", "--scan-delay", "-sS ", "-sT ",
                                       "-sV ", "-sn ", "-Pn ", "--open ", "-p- ",
                                       "port-scan", "portscan")
    | extend ScanType = "Scan Tool Executed on Endpoint"
    | extend SourceIP = ""
    | extend UniqueDestPorts = int(null)
    | extend UniqueDestHosts = int(null)
    | extend TotalConnections = int(null)
    | extend ScanDurationSeconds = int(null)
    | extend DestinationPorts = dynamic([])
    | extend SampledDestHosts = dynamic([])
    | extend DeviceVendor = ""
    | extend DeviceProduct = ""
    | project TimeGenerated=Timestamp, SourceIP=DeviceName, ScanType,
              UniqueDestPorts, UniqueDestHosts, TotalConnections, ScanDurationSeconds,
              DestinationPorts, SampledDestHosts, DeviceVendor, DeviceProduct,
              AccountName, ProcessCommandLine, InitiatingProcessFileName
  )

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Network Traffic: Network Connection Creation Process: Process Creation Firewall: Firewall Rule Modification

Required Tables

CommonSecurityLog DeviceProcessEvents

False Positives

Authorized vulnerability scanners (Qualys, Tenable Nessus, Rapid7 InsightVM) running scheduled scans from dedicated scanner IPs — allowlist scanner IP ranges
Internet-wide scanning services (Shodan, Censys, Binaryedge, Shadowserver) continuously scan public IPs and will trigger high-volume alerts — maintain an allowlist of known scanner AS numbers
Internal IT asset discovery tools (SCCM network discovery, ManageEngine, Spiceworks) scanning internal subnets — scope detection to exclude known management VLAN source IPs
Load balancer health checks and monitoring systems (Pingdom, Datadog Synthetics, AWS ELB probes) that repeatedly probe multiple ports on registered hosts
Red team engagements and authorized penetration tests — coordinate with security team to suppress alerts during test windows

Splunk

spl

| union
[
search index=network (sourcetype="cisco:asa" OR sourcetype="pan:traffic" OR sourcetype="pan:threat" OR sourcetype="juniper:junos:firewall" OR sourcetype="fortigate_traffic" OR sourcetype="checkpoint:firewall" OR sourcetype="syslog")
| eval src_ip=coalesce(src_ip, src, SourceIP, source_ip)
| eval dest_ip=coalesce(dest_ip, dst, DestinationIP, destination_ip)
| eval dest_port=coalesce(dest_port, dpt, DestinationPort, destination_port)
| where isnotnull(src_ip) AND isnotnull(dest_ip)
| where NOT match(src_ip, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)")
| bucket _time span=5m
| stats
    dc(dest_port) as unique_dest_ports,
    dc(dest_ip) as unique_dest_hosts,
    count as total_connections,
    values(dest_port) as dest_ports_list,
    values(dest_ip) as dest_hosts_list,
    earliest(_time) as first_seen,
    latest(_time) as last_seen
  by src_ip, _time, sourcetype
| where unique_dest_ports >= 20 OR unique_dest_hosts >= 15
| eval scan_type=case(
    unique_dest_hosts >= 15 AND unique_dest_ports <= 5, "IP Block Sweep",
    unique_dest_ports >= 20 AND unique_dest_hosts <= 3, "Port Scan",
    unique_dest_hosts >= 15 AND unique_dest_ports >= 20, "Full Network Scan",
    1==1, "Unknown Scan Pattern"
  )
| eval scan_duration_seconds=last_seen - first_seen
| eval detection_branch="perimeter_firewall"
| table _time, src_ip, scan_type, unique_dest_ports, unique_dest_hosts, total_connections, scan_duration_seconds, dest_ports_list, detection_branch, sourcetype
| sort - unique_dest_hosts
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\nmap.exe" OR Image="*\\masscan.exe" OR Image="*\\hping3.exe" OR Image="*\\fping.exe"
   OR CommandLine="*nmap *" OR CommandLine="*masscan *" OR CommandLine="* -sS *" OR CommandLine="* -sT *"
   OR CommandLine="* -sV *" OR CommandLine="* -sn *" OR CommandLine="* -Pn *" OR CommandLine="*--scan-delay*"
   OR CommandLine="*port-scan*" OR CommandLine="*portscan*")
| eval src_ip=host
| eval scan_type="Scan Tool Executed on Endpoint"
| eval unique_dest_ports=null()
| eval unique_dest_hosts=null()
| eval total_connections=null()
| eval scan_duration_seconds=null()
| eval dest_ports_list=null()
| eval detection_branch="endpoint"
| table _time, src_ip, scan_type, User, CommandLine, Image, unique_dest_ports, unique_dest_hosts, total_connections, detection_branch
| sort - _time
]

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Process: Process Creation Firewall: Network Device Logs Sysmon Event ID 1

Required Sourcetypes

cisco:asa pan:traffic fortigate_traffic XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized vulnerability scanners (Qualys, Tenable, Rapid7) generating high port/host counts from known scanner IPs — build an allowlist lookup table and suppress known scanner sources
Internet-wide scan services (Shodan, Censys, Shadowserver) will appear as high-volume external scanners — maintain a threat intel feed of known benign scanner IPs to exclude
Internal IT discovery tools (SCCM, ManageEngine OpManager, SolarWinds) generating internal subnet sweeps — filter by source IP belonging to authorized management VLANs
Cloud provider health probes and CDN edge node preflight checks generating repeated multi-port connections from AWS/Azure/GCP IP ranges
Security Operations teams running authorized scans during incident response — establish a scan authorization workflow with suppression tickets

Elastic Security (EQL)

eql

// T1595.001 — Scanning IP Blocks
network where not source.ip : (
    "10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
    "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*",
    "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*",
    "172.30.*", "172.31.*", "192.168.*", "127.*"
  )
  and network.direction == "inbound"

medium severity medium confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

Authorized vulnerability scanners (Qualys, Tenable Nessus, Rapid7 InsightVM) running scheduled scans from dedicated scanner IPs — allowlist scanner IP ranges
Internet-wide scanning services (Shodan, Censys, Binaryedge, Shadowserver) continuously scan public IPs and will trigger high-volume alerts — maintain an allowlist of known scanner AS numbers
Internal IT asset discovery tools (SCCM network discovery, ManageEngine, Spiceworks) scanning internal subnets — scope detection to exclude known management VLAN source IPs
Load balancer health checks and monitoring systems (Pingdom, Datadog Synthetics, AWS ELB probes) that repeatedly probe multiple ports on registered hosts

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN NOT (INCIDR('10.0.0.0/8', sourceip) OR INCIDR('192.168.0.0/16', sourceip) OR INCIDR('172.16.0.0/12', sourceip)) THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (NOT (INCIDR('10.0.0.0/8', sourceip) OR INCIDR('192.168.0.0/16', sourceip) OR INCIDR('172.16.0.0/12', sourceip)))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Authorized vulnerability scanners (Qualys, Tenable Nessus, Rapid7 InsightVM) running scheduled scans from dedicated scanner IPs — allowlist scanner IP ranges
Internet-wide scanning services (Shodan, Censys, Binaryedge, Shadowserver) continuously scan public IPs and will trigger high-volume alerts — maintain an allowlist of known scanner AS numbers
Internal IT asset discovery tools (SCCM network discovery, ManageEngine, Spiceworks) scanning internal subnets — scope detection to exclude known management VLAN source IPs
Load balancer health checks and monitoring systems (Pingdom, Datadog Synthetics, AWS ELB probes) that repeatedly probe multiple ports on registered hosts

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

windows/events security/sysmon

False Positives

Authorized vulnerability scanners (Qualys, Tenable Nessus, Rapid7 InsightVM) running scheduled scans from dedicated scanner IPs — allowlist scanner IP ranges
Internet-wide scanning services (Shodan, Censys, Binaryedge, Shadowserver) continuously scan public IPs and will trigger high-volume alerts — maintain an allowlist of known scanner AS numbers
Internal IT asset discovery tools (SCCM network discovery, ManageEngine, Spiceworks) scanning internal subnets — scope detection to exclude known management VLAN source IPs
Load balancer health checks and monitoring systems (Pingdom, Datadog Synthetics, AWS ELB probes) that repeatedly probe multiple ports on registered hosts

Google Chronicle / SecOps

yaral

rule t1595_001_scanning_ip_blocks {
  meta:
    author = "df00tech"
    description = "Detects Scanning IP Blocks (T1595.001)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1595.001"
    confidence = "medium"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

PROCESS_LAUNCH PROCESS_OPEN

False Positives

Authorized vulnerability scanners (Qualys, Tenable Nessus, Rapid7 InsightVM) running scheduled scans from dedicated scanner IPs — allowlist scanner IP ranges
Internet-wide scanning services (Shodan, Censys, Binaryedge, Shadowserver) continuously scan public IPs and will trigger high-volume alerts — maintain an allowlist of known scanner AS numbers
Internal IT asset discovery tools (SCCM network discovery, ManageEngine, Spiceworks) scanning internal subnets — scope detection to exclude known management VLAN source IPs
Load balancer health checks and monitoring systems (Pingdom, Datadog Synthetics, AWS ELB probes) that repeatedly probe multiple ports on registered hosts

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1595.001 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1595.001 - OSINTTool";
    * => TechniqueLabel := "T1595.001 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

Authorized vulnerability scanners (Qualys, Tenable Nessus, Rapid7 InsightVM) running scheduled scans from dedicated scanner IPs — allowlist scanner IP ranges
Internet-wide scanning services (Shodan, Censys, Binaryedge, Shadowserver) continuously scan public IPs and will trigger high-volume alerts — maintain an allowlist of known scanner AS numbers
Internal IT asset discovery tools (SCCM network discovery, ManageEngine, Spiceworks) scanning internal subnets — scope detection to exclude known management VLAN source IPs
Load balancer health checks and monitoring systems (Pingdom, Datadog Synthetics, AWS ELB probes) that repeatedly probe multiple ports on registered hosts

Scanning IP Blocks

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections