T1595 IBM QRadar · QRadar

Detect Active Scanning in IBM QRadar

This detection identifies inbound active reconnaissance scanning against your infrastructure by monitoring network perimeter logs for systematic port scanning, IP block sweeping, and vulnerability probing patterns originating from external sources. Because T1595 occurs pre-compromise and is directed at victim infrastructure from the outside, detection relies on perimeter telemetry such as firewall deny/drop logs, IDS/IPS alerts, and web server access logs rather than endpoint events. The detection correlates high-frequency blocked connection attempts from single source IPs across multiple destination ports or multiple destination hosts within short time windows, which is characteristic of automated scanning tools such as nmap, masscan, Shodan crawlers, and vulnerability scanners like Nessus or Qualys. Early identification of active scanning enables defenders to preemptively block attacker infrastructure before exploitation attempts begin.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1595 Active Scanning
Canonical reference
https://attack.mitre.org/techniques/T1595/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN NOT (INCIDR('10.0.0.0/8', sourceip) OR INCIDR('192.168.0.0/16', sourceip) OR INCIDR('172.16.0.0/12', sourceip)) AND "deviceaction" ILIKE '%deny%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (NOT (INCIDR('10.0.0.0/8', sourceip) OR INCIDR('192.168.0.0/16', sourceip) OR INCIDR('172.16.0.0/12', sourceip)) AND "deviceaction" ILIKE '%deny%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS
medium severity medium confidence

QRadar AQL detection for Active Scanning (T1595). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.

Data Sources

QRadar SIEMWindows Security EventsNetwork Firewall LogsSyslog

Required Tables

events

False Positives & Tuning

  • Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
  • Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
  • Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs
Download portable Sigma rule (.yml)

Other platforms for T1595

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nmap TCP SYN Port Scan Against Test Target

    Expected signal: Firewall deny/drop log entries for TCP SYN packets from the scanning host IP to TARGET_IP across ports 1-1024, visible in CommonSecurityLog (KQL) or cisco:asa/pan:traffic sourcetypes (SPL). IDS/IPS may generate nmap OS fingerprint detection signatures.

  2. Test 2masscan High-Rate IP Block Sweep

    Expected signal: High-rate firewall deny/drop events across multiple destination IPs within the target CIDR. NetFlow records will show SYN-only TCP sessions with no SYN-ACK responses to closed ports. Masscan generates distinctive TCP options patterns detectable by IDS/IPS signature engines.

  3. Test 3Web Application Vulnerability Scan with Nikto

    Expected signal: Web server access logs (IIS W3CIISLog, Apache access_combined) show hundreds of HTTP GET/HEAD requests to paths such as /.env, /.git/config, /admin, /wp-admin, /phpmyadmin, /manager/html with predominantly 404 (Not Found) and 403 (Forbidden) response codes. Nikto User-Agent string 'Mozilla/5.00 (Nikto/2' visible in csUserAgent field.

Last updated: 2026-03-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1595 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1595.003Wordlist ScanningT1592Gather Victim Host InformationT1596Search Open Technical DatabasesT1590Gather Victim Network InformationT1133External Remote ServicesT1190Exploit Public-Facing ApplicationT1110Brute Force

Same Tactic: Reconnaissance

Popular Detections