[Rule Tuning] Potential Network Scan Detected

Author: w0rk3r

rules/network/discovery_potential_port_scan_detected.toml

@@ -2,23 +2,21 @@
 creation_date = "2023/05/17"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2025/02/28"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a
-target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By
-mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining
-unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further
-exploitation of the targeted system or network. This rule defines a threshold-based approach to detect connection
-attempts from a single source to a wide range of destination ports.
+This rule identifies a potential port scan from an internal IP address. A port scan is a method utilized by attackers to
+systematically scan a target system for open ports, allowing them to identify available services and potential
+vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted
+attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized
+control, or further exploitation of the targeted system. This rule defines a threshold-based approach to detect
+connection attempts from a single internal source to a wide range of destination ports on a single destination.
 """
 from = "now-9m"
-index = ["logs-network_traffic.*", "packetbeat-*", "filebeat-*", "logs-panw.panos*"]
-language = "kuery"
+language = "esql"
 license = "Elastic License v2"
-max_signals = 5
 name = "Potential Network Scan Detected"
 risk_score = 21
 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
@@ -32,10 +30,19 @@ tags = [
     "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
-type = "threshold"
+type = "esql"
 
 query = '''
-event.action:network_flow and destination.port:* and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+from logs-network_traffic.*, packetbeat-*, filebeat-*, logs-panw.panos*
+| mv_expand event.action
+| where event.action == "network_flow" and destination.port is not null and source.ip is not null and destination.ip is not null
+| where CIDR_MATCH(source.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
+| stats
+    Esql.count_distinct_destination_ports = COUNT_DISTINCT(destination.port),
+    Esql.values_destination_ports = VALUES(destination.port)
+  by destination.ip, source.ip
+| where Esql.count_distinct_destination_ports >= 250
+| keep source.ip, destination.ip, Esql.*
 '''
 note = """## Triage and analysis
 
@@ -103,11 +110,3 @@ reference = "https://attack.mitre.org/techniques/T1595/001/"
 id = "TA0043"
 name = "Reconnaissance"
 reference = "https://attack.mitre.org/tactics/TA0043/"
-
-[rule.threshold]
-field = ["destination.ip", "source.ip"]
-value = 1
-
-[[rule.threshold.cardinality]]
-field = "destination.port"
-value = 250