Palo Alto - possible nmap scan on with top 100 option
| Id | 4d61bb9a-7f6d-45b1-ac0e-517e2a92f6fd |
| Rulename | Palo Alto - possible nmap scan on with top 100 option |
| Description | Detect possible execution of Nmap top 100 option. This detection will detect scanning of 90% of Top 100 port of NMAP in less than 2 minutes. Unusual port only access through a scan are present in this list which is a good indicator of reconnaissance tactics. Whitelisting of Company scanners is required with implementation of the rule. Ref : https://nmap.org/book/performance-port-selection.html |
| Severity | Medium |
| Tactics | Reconnaissance |
| Techniques | T1595 |
| Required data connectors | CefAma |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-Top100_NmapScan.yaml |
| Version | 1.0.0 |
| Arm template | 4d61bb9a-7f6d-45b1-ac0e-517e2a92f6fd.json |
CommonSecurityLog
| where ipv4_is_private(SourceIP)
| where DestinationPort in (7, 9, 13, 21, 22, 23, 25, 26, 37, 79, 81, 88, 106, 110, 111, 119, 135, 139, 143, 144, 179, 199, 389, 427, 444, 445, 465, 513, 514, 515, 543, 544, 548, 554, 587, 631, 646, 873, 990, 993, 995, 1025, 1026, 1027, 1028, 1029, 1110, 1433, 1720, 1723, 1755, 1900, 2000, 2001, 2049, 2121, 2717, 3000, 3128, 3306, 3389, 3986, 4899, 5000, 5009, 5051, 5060, 5101, 5190, 5357, 5432, 5631, 5666, 5800, 5900, 6000, 6001, 6646, 7070, 8000, 8008, 8009, 8080, 8081, 8443, 8888, 9100, 9999, 10000, 32768, 49152, 49153, 49154, 49155, 49156, 49157)
| summarize
dcount(DestinationPort),
make_set(DestinationPort),
make_set(ApplicationProtocol),
make_set(Activity),
make_set(SourcePort),
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated)
by SourceIP, DestinationIP, Computer, bin(TimeGenerated, 2m)
| where dcount_DestinationPort > 90
relevantTechniques:
- T1595
entityMappings:
- entityType: IP
fieldMappings:
- columnName: DestinationIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
version: 1.0.0
id: 4d61bb9a-7f6d-45b1-ac0e-517e2a92f6fd
severity: Medium
kind: Scheduled
queryFrequency: 5m
description: |
'Detect possible execution of Nmap top 100 option. This detection will detect scanning of 90% of Top 100 port of NMAP in less than 2 minutes. Unusual port only access through a scan are present in this list which is a good indicator of reconnaissance tactics. Whitelisting of Company scanners is required with implementation of the rule. Ref : https://nmap.org/book/performance-port-selection.html'
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
triggerOperator: gt
name: Palo Alto - possible nmap scan on with top 100 option
tactics:
- Reconnaissance
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-Top100_NmapScan.yaml
triggerThreshold: 0
queryPeriod: 5m
query: |
CommonSecurityLog
| where ipv4_is_private(SourceIP)
| where DestinationPort in (7, 9, 13, 21, 22, 23, 25, 26, 37, 79, 81, 88, 106, 110, 111, 119, 135, 139, 143, 144, 179, 199, 389, 427, 444, 445, 465, 513, 514, 515, 543, 544, 548, 554, 587, 631, 646, 873, 990, 993, 995, 1025, 1026, 1027, 1028, 1029, 1110, 1433, 1720, 1723, 1755, 1900, 2000, 2001, 2049, 2121, 2717, 3000, 3128, 3306, 3389, 3986, 4899, 5000, 5009, 5051, 5060, 5101, 5190, 5357, 5432, 5631, 5666, 5800, 5900, 6000, 6001, 6646, 7070, 8000, 8008, 8009, 8080, 8081, 8443, 8888, 9100, 9999, 10000, 32768, 49152, 49153, 49154, 49155, 49156, 49157)
| summarize
dcount(DestinationPort),
make_set(DestinationPort),
make_set(ApplicationProtocol),
make_set(Activity),
make_set(SourcePort),
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated)
by SourceIP, DestinationIP, Computer, bin(TimeGenerated, 2m)
| where dcount_DestinationPort > 90
status: Available