T1595 Google Chronicle · YARA-L

Detect Active Scanning in Google Chronicle

This detection identifies inbound active reconnaissance scanning against your infrastructure by monitoring network perimeter logs for systematic port scanning, IP block sweeping, and vulnerability probing patterns originating from external sources. Because T1595 occurs pre-compromise and is directed at victim infrastructure from the outside, detection relies on perimeter telemetry such as firewall deny/drop logs, IDS/IPS alerts, and web server access logs rather than endpoint events. The detection correlates high-frequency blocked connection attempts from single source IPs across multiple destination ports or multiple destination hosts within short time windows, which is characteristic of automated scanning tools such as nmap, masscan, Shodan crawlers, and vulnerability scanners like Nessus or Qualys. Early identification of active scanning enables defenders to preemptively block attacker infrastructure before exploitation attempts begin.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1595 Active Scanning
Canonical reference
https://attack.mitre.org/techniques/T1595/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1595_active_scanning {
  meta:
    author = "df00tech"
    description = "Detects active scanning activity from external source IPs"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1595"
    confidence = "medium"
    severity = "medium"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.security_result.action = "BLOCK"
    not re.regex($e.principal.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
  match:
    $e.principal.ip over 5m
  condition:
    #e > 50
}
medium severity medium confidence

Google Chronicle YARA-L 2.0 detection rule for Active Scanning (T1595). Uses Unified Data Model (UDM) event field mappings to detect the same behavioral patterns as the KQL rule, with Chronicle's temporal matching and entity correlation capabilities.

Data Sources

Google Chronicle SIEMChronicle UDM

Required Tables

NETWORK_CONNECTIONNETWORK_FLOW

False Positives & Tuning

  • Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
  • Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
  • Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs
Download portable Sigma rule (.yml)

Other platforms for T1595

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nmap TCP SYN Port Scan Against Test Target

    Expected signal: Firewall deny/drop log entries for TCP SYN packets from the scanning host IP to TARGET_IP across ports 1-1024, visible in CommonSecurityLog (KQL) or cisco:asa/pan:traffic sourcetypes (SPL). IDS/IPS may generate nmap OS fingerprint detection signatures.

  2. Test 2masscan High-Rate IP Block Sweep

    Expected signal: High-rate firewall deny/drop events across multiple destination IPs within the target CIDR. NetFlow records will show SYN-only TCP sessions with no SYN-ACK responses to closed ports. Masscan generates distinctive TCP options patterns detectable by IDS/IPS signature engines.

  3. Test 3Web Application Vulnerability Scan with Nikto

    Expected signal: Web server access logs (IIS W3CIISLog, Apache access_combined) show hundreds of HTTP GET/HEAD requests to paths such as /.env, /.git/config, /admin, /wp-admin, /phpmyadmin, /manager/html with predominantly 404 (Not Found) and 403 (Forbidden) response codes. Nikto User-Agent string 'Mozilla/5.00 (Nikto/2' visible in csUserAgent field.

Last updated: 2026-03-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1595 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1595.003Wordlist ScanningT1592Gather Victim Host InformationT1596Search Open Technical DatabasesT1590Gather Victim Network InformationT1133External Remote ServicesT1190Exploit Public-Facing ApplicationT1110Brute Force

Same Tactic: Reconnaissance

Popular Detections