T1595.001 Sumo Logic CSE · Sumo

Detect Scanning IP Blocks in Sumo Logic CSE

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adversaries may scan IP blocks to gather victim network information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts. Information from these scans may reveal opportunities for other forms of reconnaissance, establishing operational resources, or gaining initial access.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1595 Active Scanning
Sub-technique
T1595.001 Scanning IP Blocks
Canonical reference
https://attack.mitre.org/techniques/T1595/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc
medium severity medium confidence

Sumo Logic detection for Scanning IP Blocks (T1595.001). Uses _sourceCategory path filtering for flexible log routing compatibility, with JSON field extraction and statistical aggregation to surface scanning ip blocks patterns. Designed for the Sumo Logic Cloud SIEM platform.

Data Sources

Sumo Logic Cloud SIEMLog Sources via Sumo Logic Collector

Required Tables

windows/eventssecurity/sysmon

False Positives & Tuning

  • Authorized vulnerability scanners (Qualys, Tenable Nessus, Rapid7 InsightVM) running scheduled scans from dedicated scanner IPs — allowlist scanner IP ranges
  • Internet-wide scanning services (Shodan, Censys, Binaryedge, Shadowserver) continuously scan public IPs and will trigger high-volume alerts — maintain an allowlist of known scanner AS numbers
  • Internal IT asset discovery tools (SCCM network discovery, ManageEngine, Spiceworks) scanning internal subnets — scope detection to exclude known management VLAN source IPs
  • Load balancer health checks and monitoring systems (Pingdom, Datadog Synthetics, AWS ELB probes) that repeatedly probe multiple ports on registered hosts
Download portable Sigma rule (.yml)

Other platforms for T1595.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nmap TCP SYN Scan Against Local Subnet

    Expected signal: Linux auditd: execve syscall for nmap with full argument list. Sysmon for Linux Event ID 1: Process Create with Image=/usr/bin/nmap, CommandLine containing '-sS'. Network: multiple outbound TCP SYN packets to 192.168.1.0/24 range across ports 22,80,443,445,3389,8080. File creation event for /tmp/scan_results.txt.

  2. Test 2PowerShell Ping Sweep (ICMP IP Block Scan)

    Expected signal: Sysmon Event ID 1: powershell.exe process create with ForEach-Object -Parallel and Test-Connection in CommandLine. Sysmon Event ID 3: multiple ICMP/network connection events from powershell.exe to 192.168.1.1-254. Sysmon Event ID 11: file creation for ping_sweep_results.txt. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3masscan High-Speed IP Block Scan

    Expected signal: Linux auditd execve: masscan with full arguments. Sysmon for Linux Event ID 1: Process Create with Image=masscan, CommandLine showing target range and --rate. Network: rapid TCP SYN packets to 192.168.1.0/24 at specified ports. masscan sends SYN packets from a random high port and matches RST/SYN-ACK responses. File creation for /tmp/masscan_results.txt.

  4. Test 4Python Socket-Based Port Scanner (Stealthy Custom Scanner)

    Expected signal: Sysmon Event ID 1: python3.exe/python.exe process create with inline -c argument containing socket and connect. Sysmon Event ID 3: multiple network connection events from python3.exe to 192.168.1.0/24 range across 8 ports. Windows Security Event ID 4688 (if process command line auditing enabled). Network: 29 hosts x 8 ports = up to 232 connection attempts within seconds.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1595.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1595Active Scanning

Related Sub-techniques

T1595.002Vulnerability ScanningT1595.003Wordlist Scanning

Related Techniques

T1595Active ScanningT1595.002Vulnerability ScanningT1595.003Wordlist ScanningT1590Gather Victim Network InformationT1590.005IP AddressesT1590.002DNST1596.001DNS/Passive DNST1133External Remote ServicesT1190Exploit Public-Facing ApplicationT1078.004Cloud Accounts

Same Tactic: Reconnaissance

Popular Detections