StormScan: Coordinated Recon Detection
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
This rule detects coordinated port scanning activity across multiple endpoints, indicating potential reconnaissance by an adversary attempting to map network services.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Portscan blocked"
| timewindow 2m
| groupby SOURCE_IP having COUNT >= 10
select Action1.timewindow.HOSTNAME,Action1.timewindow.ENDPOINT_NAME,Action1.timewindow.USERNAME,Action1.timewindow.DOMAIN
Detection
Execution Mode
realtime
Log Sources
Bitdefender


