Forum Discussion
Daily "Network Port Sweep detected on port x" but no Source IP
For a couple of months we have been getting "Network Port Sweep was detection by multiple IPs" with ports 135 and 445 mostly. The KQL attached lists a load of Destination IPs but no Source IP (see ex...
https://blog.ip2location.com/knowledge-base/ipv4-mapped-ipv6-address/ I agree Sentinel does seem to think they are something else, if you split it out to remove the prefix that may work?
let sourceIP ="::ffff.10.10.10.10";
print sourceIP = iif(sourceIP has "ffff",split(sourceIP,"f.")[1],sourceIP)
let sourceIP ="::ffff.10.10.10.10";
print sourceIP = iif(sourceIP has "ffff",split(sourceIP,"f.")[1],sourceIP)
We also have issues with this stupid rule when Sentinel thinks ffff:pri.vate.add.ress is external. Is there any easy fix can be implemented for this?
- You can use the idea above and filter out any entries with ffff: as part of a custom rule - this isnt a fully developed Rule, so adjust to suit
let lookback = 8d;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback), endtime=now())
| where NetworkDirection =~ "Inbound"
| extend originalSrcIpAddr = SrcIpAddr
| extend SrcIpAddr = iif(SrcIpAddr has "::ffff",split(SrcIpAddr,"f:")[1],SrcIpAddr)
| where ipv4_is_private(SrcIpAddr)==false
| where SrcIpAddr !='127.0.0.1' and SrcIpAddr !='0.0.0.0'
| distinct SrcIpAddr, DstIpAddr, DvcHostname, DstPortNumber, originalSrcIpAddr