SigmaHQ/rules/network/net_susp_network_scan.yml

title: Network Scans
description: Detects many failed connection attempts to different ports or hosts
detection:
    selection:
        - log: network
          action: denied
    timeframe: last 24h
    condition:
        - selection | count(dst_port) > 10 by src_ip
        - selection | count(dst_ip) > 10 by src_ip
Added 'Network Scan' rule (#1) * Added possibility for multiple OR-linked conditions 2017-02-08 11:41:32 +00:00			`title: Network Scans`
			`description: Detects many failed connection attempts to different ports or hosts`
			`detection:`
			`selection:`
			`- log: network`
			`action: denied`
			`timeframe: last 24h`
			`condition:`
			`- selection \| count(dst_port) > 10 by src_ip`
			`- selection \| count(dst_ip) > 10 by src_ip`