Detect Active Scanning in Microsoft Sentinel
This detection identifies inbound active reconnaissance scanning against your infrastructure by monitoring network perimeter logs for systematic port scanning, IP block sweeping, and vulnerability probing patterns originating from external sources. Because T1595 occurs pre-compromise and is directed at victim infrastructure from the outside, detection relies on perimeter telemetry such as firewall deny/drop logs, IDS/IPS alerts, and web server access logs rather than endpoint events. The detection correlates high-frequency blocked connection attempts from single source IPs across multiple destination ports or multiple destination hosts within short time windows, which is characteristic of automated scanning tools such as nmap, masscan, Shodan crawlers, and vulnerability scanners like Nessus or Qualys. Early identification of active scanning enables defenders to preemptively block attacker infrastructure before exploitation attempts begin.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1595 Active Scanning
- Canonical reference
- https://attack.mitre.org/techniques/T1595/
KQL Detection Query
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceAction in~ ("Deny", "Drop", "Block", "Reject", "deny", "drop", "block", "reject")
| where isnotempty(SourceIP) and SourceIP !startswith "10." and SourceIP !startswith "192.168." and SourceIP !startswith "172."
| where DestinationPort > 0
| summarize
UniqueDestPorts = dcount(DestinationPort),
UniqueDestIPs = dcount(DestinationIP),
TotalAttempts = count(),
PortsTargeted = make_set(DestinationPort, 50),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
DeviceVendor = any(DeviceVendor),
DeviceProduct = any(DeviceProduct)
by SourceIP, bin(TimeGenerated, 5m)
| where UniqueDestPorts >= 10 or (UniqueDestIPs >= 5 and TotalAttempts >= 30)
| extend
ScanType = case(
UniqueDestPorts >= 20, "Aggressive Port Scan",
UniqueDestPorts >= 10, "Port Scan",
UniqueDestIPs >= 10, "IP Block Sweep",
UniqueDestIPs >= 5, "Limited IP Sweep",
"Suspicious Probe"
),
ScanDurationSeconds = datetime_diff('second', LastSeen, FirstSeen),
AttemptsPerMinute = TotalAttempts / max_of(datetime_diff('minute', LastSeen, FirstSeen), 1)
| project
TimeGenerated,
SourceIP,
ScanType,
UniqueDestPorts,
UniqueDestIPs,
TotalAttempts,
AttemptsPerMinute,
PortsTargeted,
ScanDurationSeconds,
FirstSeen,
LastSeen,
DeviceVendor,
DeviceProduct
| order by TotalAttempts descDetects inbound active scanning against perimeter infrastructure by aggregating firewall deny/drop/block events from CommonSecurityLog over 5-minute windows. Flags external source IPs that probe 10 or more distinct destination ports (port scan) or reach 5 or more distinct destination IPs with 30 or more blocked attempts (IP block sweep). Excludes RFC1918 private address space to focus on external threats. Enriches each alert with scan type classification, attempts per minute rate, and list of targeted ports.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
- Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
- Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs
Other platforms for T1595
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1nmap TCP SYN Port Scan Against Test Target
Expected signal: Firewall deny/drop log entries for TCP SYN packets from the scanning host IP to TARGET_IP across ports 1-1024, visible in CommonSecurityLog (KQL) or cisco:asa/pan:traffic sourcetypes (SPL). IDS/IPS may generate nmap OS fingerprint detection signatures.
- Test 2masscan High-Rate IP Block Sweep
Expected signal: High-rate firewall deny/drop events across multiple destination IPs within the target CIDR. NetFlow records will show SYN-only TCP sessions with no SYN-ACK responses to closed ports. Masscan generates distinctive TCP options patterns detectable by IDS/IPS signature engines.
- Test 3Web Application Vulnerability Scan with Nikto
Expected signal: Web server access logs (IIS W3CIISLog, Apache access_combined) show hundreds of HTTP GET/HEAD requests to paths such as /.env, /.git/config, /admin, /wp-admin, /phpmyadmin, /manager/html with predominantly 404 (Not Found) and 403 (Forbidden) response codes. Nikto User-Agent string 'Mozilla/5.00 (Nikto/2' visible in csUserAgent field.
References (8)
- https://attack.mitre.org/techniques/T1595/
- https://attack.mitre.org/techniques/T1595/001/
- https://attack.mitre.org/techniques/T1595/002/
- https://attack.mitre.org/techniques/T1595/003/
- https://nmap.org/book/man.html
- https://github.com/robertdavidgraham/masscan
- https://cirt.net/Nikto2
- https://owasp.org/www-project-web-security-testing-guide/latest/6-Appendix/C-Fuzz_Vectors
Unlock Pro Content
Get the full detection package for T1595 including response playbook, investigation guide, and atomic red team tests.