Forum Discussion
Daily "Network Port Sweep detected on port x" but no Source IP
For a couple of months we have been getting "Network Port Sweep was detection by multiple IPs" with ports 135 and 445 mostly. The KQL attached lists a load of Destination IPs but no Source IP (see ex...
Clive_Watson Hi Clive,
With the line for not being a private IP we get what is expected, and only see hits against our external DNS.
let lookback = 8h;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback), endtime=now())
| where NetworkDirection =~ "Inbound"
// | where ipv4_is_private(SrcIpAddr)==false
| distinct SrcIpAddr, DstIpAddr, DvcHostname, DstPortNumber
// | extend country_=geo_info_from_ip_address(SrcIpAddr)
Commenting that out we get a load of scans. The two specific ports (135 and 445) are listed, and the query that Sentinel is flagging is only against the ones with ::ffff at the front.
Rule: Network Port Sweep from External Network (ASIM Network Session schema)
Description: This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any source which supports the ASIM Network Session schema.
Theory, Sentinel is thinking these IPs are external because of the ::ffff in front of them. It only flags those. SO my question is why are the logged IPs having that in front of them?
https://blog.ip2location.com/knowledge-base/ipv4-mapped-ipv6-address/ I agree Sentinel does seem to think they are something else, if you split it out to remove the prefix that may work?
let sourceIP ="::ffff.10.10.10.10";
print sourceIP = iif(sourceIP has "ffff",split(sourceIP,"f.")[1],sourceIP)
let sourceIP ="::ffff.10.10.10.10";
print sourceIP = iif(sourceIP has "ffff",split(sourceIP,"f.")[1],sourceIP)
- We also have issues with this stupid rule when Sentinel thinks ffff:pri.vate.add.ress is external. Is there any easy fix can be implemented for this?
- You can use the idea above and filter out any entries with ffff: as part of a custom rule - this isnt a fully developed Rule, so adjust to suit
let lookback = 8d;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback), endtime=now())
| where NetworkDirection =~ "Inbound"
| extend originalSrcIpAddr = SrcIpAddr
| extend SrcIpAddr = iif(SrcIpAddr has "::ffff",split(SrcIpAddr,"f:")[1],SrcIpAddr)
| where ipv4_is_private(SrcIpAddr)==false
| where SrcIpAddr !='127.0.0.1' and SrcIpAddr !='0.0.0.0'
| distinct SrcIpAddr, DstIpAddr, DvcHostname, DstPortNumber, originalSrcIpAddr
