T1595.001 Microsoft Sentinel · KQL

Detect Scanning IP Blocks in Microsoft Sentinel

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adversaries may scan IP blocks to gather victim network information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts. Information from these scans may reveal opportunities for other forms of reconnaissance, establishing operational resources, or gaining initial access.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1595 Active Scanning
Sub-technique
T1595.001 Scanning IP Blocks
Canonical reference
https://attack.mitre.org/techniques/T1595/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Branch 1: Inbound IP block scanning detected via perimeter firewall logs (CommonSecurityLog)
let ScanThresholdPorts = 20;
let ScanThresholdHosts = 15;
let WindowMinutes = 5;
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where SourceIP !startswith "10."
    and SourceIP !startswith "192.168."
    and SourceIP !startswith "172.16."
    and SourceIP !startswith "172.17."
    and SourceIP !startswith "172.18."
    and SourceIP !startswith "172.19."
    and SourceIP !startswith "172.20."
    and SourceIP !startswith "172.21."
    and SourceIP !startswith "172.22."
    and SourceIP !startswith "172.23."
    and SourceIP !startswith "172.24."
    and SourceIP !startswith "172.25."
    and SourceIP !startswith "172.26."
    and SourceIP !startswith "172.27."
    and SourceIP !startswith "172.28."
    and SourceIP !startswith "172.29."
    and SourceIP !startswith "172.30."
    and SourceIP !startswith "172.31."
    and SourceIP !startswith "127."
    and isnotempty(SourceIP)
| summarize
    UniqueDestPorts = dcount(DestinationPort),
    UniqueDestHosts = dcount(DestinationIP),
    TotalConnections = count(),
    DestinationPorts = make_set(DestinationPort, 50),
    SampledDestHosts = make_set(DestinationIP, 20),
    EarliestEvent = min(TimeGenerated),
    LatestEvent = max(TimeGenerated),
    DeviceVendor = any(DeviceVendor),
    DeviceProduct = any(DeviceProduct)
  by SourceIP, bin(TimeGenerated, WindowMinutes * 1m)
| where UniqueDestPorts >= ScanThresholdPorts or UniqueDestHosts >= ScanThresholdHosts
| extend ScanType = case(
    UniqueDestHosts >= ScanThresholdHosts and UniqueDestPorts <= 5, "IP Block Sweep (ping/single-port)",
    UniqueDestPorts >= ScanThresholdPorts and UniqueDestHosts <= 3, "Port Scan (single host)",
    UniqueDestHosts >= ScanThresholdHosts and UniqueDestPorts >= ScanThresholdPorts, "Full Network Scan",
    "Unknown Scan Pattern"
  )
| extend ScanDurationSeconds = datetime_diff('second', LatestEvent, EarliestEvent)
| project TimeGenerated, SourceIP, ScanType, UniqueDestPorts, UniqueDestHosts,
          TotalConnections, ScanDurationSeconds, DestinationPorts, SampledDestHosts,
          DeviceVendor, DeviceProduct
| sort by UniqueDestHosts desc, UniqueDestPorts desc
// Branch 2: Scan tool execution on internal endpoints (lateral movement / compromised host pivot)
| union (
    DeviceProcessEvents
    | where Timestamp > ago(1h)
    | where FileName in~ ("nmap", "nmap.exe", "masscan", "masscan.exe", "zmap", "unicornscan",
                          "hping3", "hping3.exe", "netdiscover", "fping", "fping.exe",
                          "angry_ip_scanner.exe", "ipscan.exe", "advanced_ip_scanner.exe")
        or ProcessCommandLine has_any ("nmap ", "masscan ", "--scan-delay", "-sS ", "-sT ",
                                       "-sV ", "-sn ", "-Pn ", "--open ", "-p- ",
                                       "port-scan", "portscan")
    | extend ScanType = "Scan Tool Executed on Endpoint"
    | extend SourceIP = ""
    | extend UniqueDestPorts = int(null)
    | extend UniqueDestHosts = int(null)
    | extend TotalConnections = int(null)
    | extend ScanDurationSeconds = int(null)
    | extend DestinationPorts = dynamic([])
    | extend SampledDestHosts = dynamic([])
    | extend DeviceVendor = ""
    | extend DeviceProduct = ""
    | project TimeGenerated=Timestamp, SourceIP=DeviceName, ScanType,
              UniqueDestPorts, UniqueDestHosts, TotalConnections, ScanDurationSeconds,
              DestinationPorts, SampledDestHosts, DeviceVendor, DeviceProduct,
              AccountName, ProcessCommandLine, InitiatingProcessFileName
  )
medium severity medium confidence

Detects IP block scanning in two complementary ways. Branch 1 analyzes CommonSecurityLog (CEF-format firewall/IDS logs) for external source IPs generating abnormal counts of unique destination ports or destination hosts within a 5-minute window, classifying scans as IP sweeps, port scans, or full network scans. Branch 2 detects scan tool execution (nmap, masscan, zmap, hping3) on internal endpoints, which indicates a compromised host being used to pivot and scan internal network segments. Thresholds are conservative and should be tuned to your environment's baseline.

Data Sources

Network Traffic: Network Traffic FlowNetwork Traffic: Network Connection CreationProcess: Process CreationFirewall: Firewall Rule Modification

Required Tables

CommonSecurityLogDeviceProcessEvents

False Positives & Tuning

  • Authorized vulnerability scanners (Qualys, Tenable Nessus, Rapid7 InsightVM) running scheduled scans from dedicated scanner IPs — allowlist scanner IP ranges
  • Internet-wide scanning services (Shodan, Censys, Binaryedge, Shadowserver) continuously scan public IPs and will trigger high-volume alerts — maintain an allowlist of known scanner AS numbers
  • Internal IT asset discovery tools (SCCM network discovery, ManageEngine, Spiceworks) scanning internal subnets — scope detection to exclude known management VLAN source IPs
  • Load balancer health checks and monitoring systems (Pingdom, Datadog Synthetics, AWS ELB probes) that repeatedly probe multiple ports on registered hosts
  • Red team engagements and authorized penetration tests — coordinate with security team to suppress alerts during test windows
Download portable Sigma rule (.yml)

Other platforms for T1595.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nmap TCP SYN Scan Against Local Subnet

    Expected signal: Linux auditd: execve syscall for nmap with full argument list. Sysmon for Linux Event ID 1: Process Create with Image=/usr/bin/nmap, CommandLine containing '-sS'. Network: multiple outbound TCP SYN packets to 192.168.1.0/24 range across ports 22,80,443,445,3389,8080. File creation event for /tmp/scan_results.txt.

  2. Test 2PowerShell Ping Sweep (ICMP IP Block Scan)

    Expected signal: Sysmon Event ID 1: powershell.exe process create with ForEach-Object -Parallel and Test-Connection in CommandLine. Sysmon Event ID 3: multiple ICMP/network connection events from powershell.exe to 192.168.1.1-254. Sysmon Event ID 11: file creation for ping_sweep_results.txt. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3masscan High-Speed IP Block Scan

    Expected signal: Linux auditd execve: masscan with full arguments. Sysmon for Linux Event ID 1: Process Create with Image=masscan, CommandLine showing target range and --rate. Network: rapid TCP SYN packets to 192.168.1.0/24 at specified ports. masscan sends SYN packets from a random high port and matches RST/SYN-ACK responses. File creation for /tmp/masscan_results.txt.

  4. Test 4Python Socket-Based Port Scanner (Stealthy Custom Scanner)

    Expected signal: Sysmon Event ID 1: python3.exe/python.exe process create with inline -c argument containing socket and connect. Sysmon Event ID 3: multiple network connection events from python3.exe to 192.168.1.0/24 range across 8 ports. Windows Security Event ID 4688 (if process command line auditing enabled). Network: 29 hosts x 8 ports = up to 232 connection attempts within seconds.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1595.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1595Active Scanning

Related Sub-techniques

T1595.002Vulnerability ScanningT1595.003Wordlist Scanning

Related Techniques

T1595Active ScanningT1595.002Vulnerability ScanningT1595.003Wordlist ScanningT1590Gather Victim Network InformationT1590.005IP AddressesT1590.002DNST1596.001DNS/Passive DNST1133External Remote ServicesT1190Exploit Public-Facing ApplicationT1078.004Cloud Accounts

Same Tactic: Reconnaissance

Popular Detections