Daily “Network Port Sweep detected on port x” but no Source IP
For a couple of months we have been getting “Network Port Sweep was detection by multiple IPs” with ports 135 and 445 mostly. The KQL attached lists a load of Destination IPs but no Source IP (see example below) All these are inside our network, and so not coming from outside the network where the firewall would block such scans. We suspect it is one of our network tools such as Solarwinds but without the Source IP it is difficult to prove anything.
// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert.
set query_now = datetime(2024-06-24T03:01:10.2587643Z);
let lookback = 1h;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback), endtime=now())
| where NetworkDirection == “Inbound”
| summarize make_set(DstIpAddr, 100) by DstPortNumber
| where array_length(set_DstIpAddr) > threshold
Tried to modify the query, this is the KQL I have tried.
set query_now = datetime(2024-01-26T07:47:48.3756000Z); let lookback = 1h; let threshold = 20; _Im_NetworkSession(starttime=ago(lookback), endtime=now()) | where NetworkDirection == “Inbound” | summarize make_set(DstIpAddr, 100), make_set(SrcIpAddr, 100) by DstPortNumber | where array_length(set_DstIpAddr) > threshold
Anyone got any suggestions on how we can track down what is causing this alert in Sentinel?
For a couple of months we have been getting “Network Port Sweep was detection by multiple IPs” with ports 135 and 445 mostly. The KQL attached lists a load of Destination IPs but no Source IP (see example below) All these are inside our network, and so not coming from outside the network where the firewall would block such scans. We suspect it is one of our network tools such as Solarwinds but without the Source IP it is difficult to prove anything. // The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert.set query_now = datetime(2024-06-24T03:01:10.2587643Z);let lookback = 1h;let threshold = 20;_Im_NetworkSession(starttime=ago(lookback), endtime=now())| where NetworkDirection == “Inbound”| summarize make_set(DstIpAddr, 100) by DstPortNumber| where array_length(set_DstIpAddr) > threshold Tried to modify the query, this is the KQL I have tried. set query_now = datetime(2024-01-26T07:47:48.3756000Z); let lookback = 1h; let threshold = 20; _Im_NetworkSession(starttime=ago(lookback), endtime=now()) | where NetworkDirection == “Inbound” | summarize make_set(DstIpAddr, 100), make_set(SrcIpAddr, 100) by DstPortNumber | where array_length(set_DstIpAddr) > threshold Anyone got any suggestions on how we can track down what is causing this alert in Sentinel? Read More
