GSA - Detect Source IP Scanning Multiple Open Ports

let port_scan_time = 30s;
let min_ports_threshold = 100;
NetworkAccessTraffic
| where TimeGenerated > ago(1d)
| where Action == 'Allowed'
| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)
| where PortsScanned > min_ports_threshold
| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn

relevantTechniques:
- T1046
entityMappings:
- fieldMappings:
  - columnName: SourceIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DestinationFqdn
    identifier: Url
  entityType: URL
triggerThreshold: 1
description: |
  Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.
    Configurable Parameters:
    - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.
    - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.  
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - NetworkAccessTrafficLogs
triggerOperator: gt
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml
id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1
queryFrequency: 1d
query: |
  let port_scan_time = 30s;
  let min_ports_threshold = 100;
  NetworkAccessTraffic
  | where TimeGenerated > ago(1d)
  | where Action == 'Allowed'
  | summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)
  | where PortsScanned > min_ports_threshold
  | project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn  
severity: Medium
status: Available
queryPeriod: 1d
name: GSA - Detect Source IP Scanning Multiple Open Ports
tactics:
- Discovery
kind: Scheduled