T1595 Sumo Logic CSE · Sumo

Detect Active Scanning in Sumo Logic CSE

This detection identifies inbound active reconnaissance scanning against your infrastructure by monitoring network perimeter logs for systematic port scanning, IP block sweeping, and vulnerability probing patterns originating from external sources. Because T1595 occurs pre-compromise and is directed at victim infrastructure from the outside, detection relies on perimeter telemetry such as firewall deny/drop logs, IDS/IPS alerts, and web server access logs rather than endpoint events. The detection correlates high-frequency blocked connection attempts from single source IPs across multiple destination ports or multiple destination hosts within short time windows, which is characteristic of automated scanning tools such as nmap, masscan, Shodan crawlers, and vulnerability scanners like Nessus or Qualys. Early identification of active scanning enables defenders to preemptively block attacker infrastructure before exploitation attempts begin.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1595 Active Scanning
Canonical reference
https://attack.mitre.org/techniques/T1595/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*firewall* OR _sourceCategory=*network*
| json auto
| where !(src_ip matches "10.*") and !(src_ip matches "192.168.*")
| timeslice 5m
| stats dcount(dest_port) as UniqueDestPorts, dcount(dest_ip) as UniqueDestHosts, count as TotalConns by _timeslice, src_ip
| where UniqueDestPorts >= 20 or UniqueDestHosts >= 15
| if(UniqueDestHosts >= 15 and UniqueDestPorts <= 5, "IP Block Sweep", if(UniqueDestPorts >= 20 and UniqueDestHosts <= 3, "Port Scan", "Full Network Scan")) as ScanType
medium severity medium confidence

Sumo Logic detection for Active Scanning (T1595). Uses _sourceCategory path filtering for flexible log routing compatibility, with JSON field extraction and statistical aggregation to surface active scanning patterns. Designed for the Sumo Logic Cloud SIEM platform.

Data Sources

Sumo Logic Cloud SIEMLog Sources via Sumo Logic Collector

Required Tables

network/firewallsecurity/ids

False Positives & Tuning

  • Legitimate external vulnerability scanners operated by authorized third-party security vendors (e.g., Qualys, Tenable, Rapid7) running scheduled assessments — coordinate with security team to whitelist known scanner IPs
  • Cloud provider health checks, CDN edge probes, and load balancer connectivity tests from cloud service IP ranges (AWS, Azure, Cloudflare) that generate denied traffic to closed ports
  • Internet background radiation and automated internet-wide scanners from academic research institutions such as Shodan, Censys, and university security research groups hitting exposed public IPs
Download portable Sigma rule (.yml)

Other platforms for T1595

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nmap TCP SYN Port Scan Against Test Target

    Expected signal: Firewall deny/drop log entries for TCP SYN packets from the scanning host IP to TARGET_IP across ports 1-1024, visible in CommonSecurityLog (KQL) or cisco:asa/pan:traffic sourcetypes (SPL). IDS/IPS may generate nmap OS fingerprint detection signatures.

  2. Test 2masscan High-Rate IP Block Sweep

    Expected signal: High-rate firewall deny/drop events across multiple destination IPs within the target CIDR. NetFlow records will show SYN-only TCP sessions with no SYN-ACK responses to closed ports. Masscan generates distinctive TCP options patterns detectable by IDS/IPS signature engines.

  3. Test 3Web Application Vulnerability Scan with Nikto

    Expected signal: Web server access logs (IIS W3CIISLog, Apache access_combined) show hundreds of HTTP GET/HEAD requests to paths such as /.env, /.git/config, /admin, /wp-admin, /phpmyadmin, /manager/html with predominantly 404 (Not Found) and 403 (Forbidden) response codes. Nikto User-Agent string 'Mozilla/5.00 (Nikto/2' visible in csUserAgent field.

Last updated: 2026-03-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1595 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1595.003Wordlist ScanningT1592Gather Victim Host InformationT1596Search Open Technical DatabasesT1590Gather Victim Network InformationT1133External Remote ServicesT1190Exploit Public-Facing ApplicationT1110Brute Force

Same Tactic: Reconnaissance

Popular Detections