Corelight - Network Service Scanning Multiple IP Addresses

let threshold = 25;
union corelight_conn, corelight_conn_red
| where local_resp == true
| where local_orig == true
| where conn_state in~ ('S0', 'REJ')
| where history !contains 'D'
| summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
| where count_ > threshold

entityMappings:
- fieldMappings:
  - columnName: id_orig_h
    identifier: Address
  entityType: IP
severity: Medium
name: Corelight - Network Service Scanning Multiple IP Addresses
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml
id: 599570d4-06f8-4939-8e29-95cd003f1abd
kind: Scheduled
status: Available
queryFrequency: 1h
relevantTechniques:
- T1566
description: |
    'Identify scanning of services that may be available on the internal network.'
query: |
  let threshold = 25;
  union corelight_conn, corelight_conn_red
  | where local_resp == true
  | where local_orig == true
  | where conn_state in~ ('S0', 'REJ')
  | where history !contains 'D'
  | summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
  | where count_ > threshold  
version: 2.1.0
tactics:
- InitialAccess
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - Corelight_v2_conn
  - Corelight_v2_conn_red
  - corelight_conn
  - corelight_conn_red
  connectorId: Corelight