Detect Active Scanning in Splunk
This detection identifies inbound active reconnaissance scanning against your infrastructure by monitoring network perimeter logs for systematic port scanning, IP block sweeping, and vulnerability probing patterns originating from external sources. Because T1595 occurs pre-compromise and is directed at victim infrastructure from the outside, detection relies on perimeter telemetry such as firewall deny/drop logs, IDS/IPS alerts, and web server access logs rather than endpoint events. The detection correlates high-frequency blocked connection attempts from single source IPs across multiple destination ports or multiple destination hosts within short time windows, which is characteristic of automated scanning tools such as nmap, masscan, Shodan crawlers, and vulnerability scanners like Nessus or Qualys. Early identification of active scanning enables defenders to preemptively block attacker infrastructure before exploitation attempts begin.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1595 Active Scanning
- Canonical reference
- https://attack.mitre.org/techniques/T1595/
SPL Detection Query
index=* (sourcetype="cisco:asa" OR sourcetype="pan:traffic" OR sourcetype="paloalto:firewall" OR sourcetype="juniper:junos:firewall" OR sourcetype="fortinet:fortigate:traffic" OR sourcetype="checkpoint:firewall")
(action=denied OR action=dropped OR action=blocked OR action=reset OR action="deny" OR action="drop")
| search NOT (src_ip="10.*" OR src_ip="192.168.*" OR src_ip="172.16.*" OR src_ip="172.17.*" OR src_ip="172.18.*" OR src_ip="172.19.*" OR src_ip="172.2*" OR src_ip="172.30.*" OR src_ip="172.31.*")
| bin _time span=5m
| stats
dc(dest_port) as unique_dest_ports,
dc(dest_ip) as unique_dest_ips,
count as total_attempts,
min(_time) as first_seen,
max(_time) as last_seen,
values(dest_port) as ports_targeted
by src_ip _time
| where unique_dest_ports >= 10 OR (unique_dest_ips >= 5 AND total_attempts >= 30)
| eval scan_duration_sec = last_seen - first_seen
| eval attempts_per_min = round(total_attempts / max(scan_duration_sec / 60, 1), 2)
| eval scan_type = case(
unique_dest_ports >= 20, "Aggressive Port Scan",
unique_dest_ports >= 10, "Port Scan",
unique_dest_ips >= 10, "IP Block Sweep",
unique_dest_ips >= 5, "Limited IP Sweep",
1==1, "Suspicious Probe"
)
| eval first_seen_readable = strftime(first_seen, "%Y-%m-%d %H:%M:%S")
| eval last_seen_readable = strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - total_attempts
| table _time, src_ip, scan_type, unique_dest_ports, unique_dest_ips, total_attempts, attempts_per_min, ports_targeted, first_seen_readable, last_seen_readableCorrelates firewall deny/drop/block events from common network security appliance sourcetypes (Cisco ASA, Palo Alto, Juniper, Fortinet, Check Point) over 5-minute windows. Identifies external source IPs exhibiting port scan behavior (10+ unique destination ports) or IP sweep behavior (5+ unique destination IPs with 30+ blocked attempts). Calculates scan velocity in attempts per minute and classifies the scan type for analyst triage prioritization.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized penetration testing engagements — verify with security team whether a pentest is in scope before escalating; request tester IP ranges in advance
- External monitoring services (Pingdom, UptimeRobot, StatusCake) and CDN health probes that systematically check multiple ports to verify service availability
- Misconfigured partner or vendor systems that have incorrect firewall rules and generate repeated blocked connection attempts that resemble scanning traffic
Other platforms for T1595
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1nmap TCP SYN Port Scan Against Test Target
Expected signal: Firewall deny/drop log entries for TCP SYN packets from the scanning host IP to TARGET_IP across ports 1-1024, visible in CommonSecurityLog (KQL) or cisco:asa/pan:traffic sourcetypes (SPL). IDS/IPS may generate nmap OS fingerprint detection signatures.
- Test 2masscan High-Rate IP Block Sweep
Expected signal: High-rate firewall deny/drop events across multiple destination IPs within the target CIDR. NetFlow records will show SYN-only TCP sessions with no SYN-ACK responses to closed ports. Masscan generates distinctive TCP options patterns detectable by IDS/IPS signature engines.
- Test 3Web Application Vulnerability Scan with Nikto
Expected signal: Web server access logs (IIS W3CIISLog, Apache access_combined) show hundreds of HTTP GET/HEAD requests to paths such as /.env, /.git/config, /admin, /wp-admin, /phpmyadmin, /manager/html with predominantly 404 (Not Found) and 403 (Forbidden) response codes. Nikto User-Agent string 'Mozilla/5.00 (Nikto/2' visible in csUserAgent field.
References (8)
- https://attack.mitre.org/techniques/T1595/
- https://attack.mitre.org/techniques/T1595/001/
- https://attack.mitre.org/techniques/T1595/002/
- https://attack.mitre.org/techniques/T1595/003/
- https://nmap.org/book/man.html
- https://github.com/robertdavidgraham/masscan
- https://cirt.net/Nikto2
- https://owasp.org/www-project-web-security-testing-guide/latest/6-Appendix/C-Fuzz_Vectors
Unlock Pro Content
Get the full detection package for T1595 including response playbook, investigation guide, and atomic red team tests.