Attackers will often perform reconnaissance against customer environments to better understand resources on the network. This rule looks for a single source IP scanning for the same port across multiple destinations.
| Detail |
Value |
| Type |
Threshold |
| Category |
Discovery |
| Apply Risk to Entities |
srcDevice_ip |
| Signal Name |
GCP Port Sweep |
| Summary Expression |
Port sweep detected from {{srcDevice_ip}} |
| Threshold Count |
25 |
| Threshold Window |
5m |
| Score/Severity |
Static: 1 |
| Enabled by Default |
True |
| Prototype |
False |
| Tags |
_mitreAttackTactic:TA0007, _mitreAttackTactic:TA0043, _mitreAttackTechnique:T1046, _mitreAttackTechnique:T1595, _mitreAttackTechnique:T1595.001 |
| Origin |
Field |
| Normalized Schema |
dstDevice_ip_isInternal |
| Normalized Schema |
dstPort |
| Normalized Schema |
listMatches |
| Normalized Schema |
metadata_deviceEventId |
| Normalized Schema |
metadata_product |
| Normalized Schema |
metadata_vendor |
| Normalized Schema |
srcDevice_ip |
| Normalized Schema |
srcDevice_ip_isInternal |