Forum Discussion

MarcusBoyce's avatar
MarcusBoyce
Copper Contributor
Jun 24, 2024

Daily "Network Port Sweep detected on port x" but no Source IP

For a couple of months we have been getting "Network Port Sweep was detection by multiple IPs" with ports 135 and 445 mostly. The KQL attached lists a load of Destination IPs but no Source IP (see ex...
detection
KQL
Log Data
siem
threat hunting
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jun 24, 2024
Hello, are you saying there is no SOURCE IP column/or its blank or just that your query isnt displaying it? Currently as you are summarising the data you are only seeing the columns you name.
There are some ideas in this query, to get you started


let lookback = 1h;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback), endtime=now())
| where NetworkDirection =~ "Inbound"
| where ipv4_is_private(SrcIpAddr)==false
| distinct SrcIpAddr, DstIpAddr, DvcHostname, DstPortNumber
| extend country_=geo_info_from_ip_address(SrcIpAddr)


https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-set-aggregation-function

as you are using make-set with 100 you get 100 random values, lets say you have 200 results you maybe missing something in the 100 you are dropping
  • MarcusBoyce's avatar
    MarcusBoyce
    Copper Contributor
    Jul 01, 2024

    Clive_Watson Hi Clive,

     

    With the line for not being a private IP we get what is expected, and only see hits against our external DNS. 

     

    let lookback = 8h;
    let threshold = 20;
    _Im_NetworkSession(starttime=ago(lookback), endtime=now())
    | where NetworkDirection =~ "Inbound"
    // | where ipv4_is_private(SrcIpAddr)==false
    | distinct SrcIpAddr, DstIpAddr, DvcHostname, DstPortNumber
    // | extend country_=geo_info_from_ip_address(SrcIpAddr)

     

    Commenting that out we get a load of scans. The two specific ports (135 and 445) are listed, and the query that Sentinel is flagging is only against the ones with ::ffff at the front. 

     

    Rule: Network Port Sweep from External Network (ASIM Network Session schema)

    Description: This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any source which supports the ASIM Network Session schema.

     

     

     

    Theory, Sentinel is thinking these IPs are external because of the ::ffff in front of them. It only flags those. SO my question is why are the logged IPs having that in front of them? 

      • Vladx340's avatar
        Vladx340
        Copper Contributor
        Aug 01, 2024
        We also have issues with this stupid rule when Sentinel thinks ffff:pri.vate.add.ress is external. Is there any easy fix can be implemented for this?
  • MarcusBoyce's avatar
    MarcusBoyce
    Copper Contributor
    Jul 01, 2024

    Clive_Watson Hi, there’s no source IP. The query running is one built into Sentinel. 

    I shall try running your query. Thanks for the feedback. 

    • Meghatri's avatar
      Meghatri
      Copper Contributor
      Dec 08, 2024

      Hey MarcusBoyce, just wondering if you were able to solve this? I have the same issue. 

Resources