Detect Scanning IP Blocks in Splunk
Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adversaries may scan IP blocks to gather victim network information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts. Information from these scans may reveal opportunities for other forms of reconnaissance, establishing operational resources, or gaining initial access.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1595 Active Scanning
- Sub-technique
- T1595.001 Scanning IP Blocks
- Canonical reference
- https://attack.mitre.org/techniques/T1595/001/
SPL Detection Query
| union
[
search index=network (sourcetype="cisco:asa" OR sourcetype="pan:traffic" OR sourcetype="pan:threat" OR sourcetype="juniper:junos:firewall" OR sourcetype="fortigate_traffic" OR sourcetype="checkpoint:firewall" OR sourcetype="syslog")
| eval src_ip=coalesce(src_ip, src, SourceIP, source_ip)
| eval dest_ip=coalesce(dest_ip, dst, DestinationIP, destination_ip)
| eval dest_port=coalesce(dest_port, dpt, DestinationPort, destination_port)
| where isnotnull(src_ip) AND isnotnull(dest_ip)
| where NOT match(src_ip, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)")
| bucket _time span=5m
| stats
dc(dest_port) as unique_dest_ports,
dc(dest_ip) as unique_dest_hosts,
count as total_connections,
values(dest_port) as dest_ports_list,
values(dest_ip) as dest_hosts_list,
earliest(_time) as first_seen,
latest(_time) as last_seen
by src_ip, _time, sourcetype
| where unique_dest_ports >= 20 OR unique_dest_hosts >= 15
| eval scan_type=case(
unique_dest_hosts >= 15 AND unique_dest_ports <= 5, "IP Block Sweep",
unique_dest_ports >= 20 AND unique_dest_hosts <= 3, "Port Scan",
unique_dest_hosts >= 15 AND unique_dest_ports >= 20, "Full Network Scan",
1==1, "Unknown Scan Pattern"
)
| eval scan_duration_seconds=last_seen - first_seen
| eval detection_branch="perimeter_firewall"
| table _time, src_ip, scan_type, unique_dest_ports, unique_dest_hosts, total_connections, scan_duration_seconds, dest_ports_list, detection_branch, sourcetype
| sort - unique_dest_hosts
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\nmap.exe" OR Image="*\\masscan.exe" OR Image="*\\hping3.exe" OR Image="*\\fping.exe"
OR CommandLine="*nmap *" OR CommandLine="*masscan *" OR CommandLine="* -sS *" OR CommandLine="* -sT *"
OR CommandLine="* -sV *" OR CommandLine="* -sn *" OR CommandLine="* -Pn *" OR CommandLine="*--scan-delay*"
OR CommandLine="*port-scan*" OR CommandLine="*portscan*")
| eval src_ip=host
| eval scan_type="Scan Tool Executed on Endpoint"
| eval unique_dest_ports=null()
| eval unique_dest_hosts=null()
| eval total_connections=null()
| eval scan_duration_seconds=null()
| eval dest_ports_list=null()
| eval detection_branch="endpoint"
| table _time, src_ip, scan_type, User, CommandLine, Image, unique_dest_ports, unique_dest_hosts, total_connections, detection_branch
| sort - _time
]Detects IP block scanning using two detection branches. Branch 1 analyzes firewall/network device logs (Cisco ASA, Palo Alto, FortiGate, Juniper, CheckPoint) via common syslog/sourcetypes, bucketing traffic into 5-minute windows and flagging external source IPs that contact an abnormal number of unique destination ports or hosts. Scan classification (sweep vs. port scan vs. full scan) helps analysts prioritize. Branch 2 detects scan tool execution via Sysmon Event ID 1 on Windows endpoints, catching adversaries who have already gained a foothold and are pivoting internally. The union approach surfaces both perimeter-facing and internal scan activity in a single view.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized vulnerability scanners (Qualys, Tenable, Rapid7) generating high port/host counts from known scanner IPs — build an allowlist lookup table and suppress known scanner sources
- Internet-wide scan services (Shodan, Censys, Shadowserver) will appear as high-volume external scanners — maintain a threat intel feed of known benign scanner IPs to exclude
- Internal IT discovery tools (SCCM, ManageEngine OpManager, SolarWinds) generating internal subnet sweeps — filter by source IP belonging to authorized management VLANs
- Cloud provider health probes and CDN edge node preflight checks generating repeated multi-port connections from AWS/Azure/GCP IP ranges
- Security Operations teams running authorized scans during incident response — establish a scan authorization workflow with suppression tickets
Other platforms for T1595.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1nmap TCP SYN Scan Against Local Subnet
Expected signal: Linux auditd: execve syscall for nmap with full argument list. Sysmon for Linux Event ID 1: Process Create with Image=/usr/bin/nmap, CommandLine containing '-sS'. Network: multiple outbound TCP SYN packets to 192.168.1.0/24 range across ports 22,80,443,445,3389,8080. File creation event for /tmp/scan_results.txt.
- Test 2PowerShell Ping Sweep (ICMP IP Block Scan)
Expected signal: Sysmon Event ID 1: powershell.exe process create with ForEach-Object -Parallel and Test-Connection in CommandLine. Sysmon Event ID 3: multiple ICMP/network connection events from powershell.exe to 192.168.1.1-254. Sysmon Event ID 11: file creation for ping_sweep_results.txt. PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 3masscan High-Speed IP Block Scan
Expected signal: Linux auditd execve: masscan with full arguments. Sysmon for Linux Event ID 1: Process Create with Image=masscan, CommandLine showing target range and --rate. Network: rapid TCP SYN packets to 192.168.1.0/24 at specified ports. masscan sends SYN packets from a random high port and matches RST/SYN-ACK responses. File creation for /tmp/masscan_results.txt.
- Test 4Python Socket-Based Port Scanner (Stealthy Custom Scanner)
Expected signal: Sysmon Event ID 1: python3.exe/python.exe process create with inline -c argument containing socket and connect. Sysmon Event ID 3: multiple network connection events from python3.exe to 192.168.1.0/24 range across 8 ports. Windows Security Event ID 4688 (if process command line auditing enabled). Network: 29 hosts x 8 ports = up to 232 connection attempts within seconds.
References (10)
- https://attack.mitre.org/techniques/T1595/001/
- https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
- https://www.trendmicro.com/en_us/research/21/i/teamtnt-targets-aws-and-alibaba-cloud.html
- https://nmap.org/book/man-port-scanning-techniques.html
- https://github.com/robertdavidgraham/masscan
- https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
- https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/common-event-format
- https://docs.zeek.org/en/master/logs/conn.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1595.001/T1595.001.md
Unlock Pro Content
Get the full detection package for T1595.001 including response playbook, investigation guide, and atomic red team tests.