Attackers will often perform reconnaissance against customer environments to better understand resources on the network. This rule looks for a single source IP scanning for the same port across multiple destinations.
Detail |
Value |
Type |
Threshold |
Category |
Discovery |
Apply Risk to Entities |
srcDevice_ip |
Signal Name |
GCP Port Sweep |
Summary Expression |
Port sweep detected from {{srcDevice_ip}} |
Threshold Count |
25 |
Threshold Window |
5m |
Score/Severity |
Static: 1 |
Enabled by Default |
True |
Prototype |
False |
Tags |
_mitreAttackTactic:TA0007, _mitreAttackTactic:TA0043, _mitreAttackTechnique:T1046, _mitreAttackTechnique:T1595, _mitreAttackTechnique:T1595.001 |
Origin |
Field |
Normalized Schema |
dstDevice_ip_isInternal |
Normalized Schema |
dstPort |
Normalized Schema |
listMatches |
Normalized Schema |
metadata_deviceEventId |
Normalized Schema |
metadata_product |
Normalized Schema |
metadata_vendor |
Normalized Schema |
srcDevice_ip |
Normalized Schema |
srcDevice_ip_isInternal |