Detects processes performing network enumeration (e.g., port scans, service probing) by correlating process creation, socket connections, and sequential destination IP probing within a time window.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| ScanRateThreshold | Defines the number of unique destination IPs or ports accessed within a time window that may indicate a scan. |
| KnownScannerExeList | List of binaries allowed to scan or used by IT (e.g., Nmap, Nessus). |
| TimeWindow | Temporal bounds for correlating sequential connections (e.g., 60 seconds). |
Detects use of network scanning utilities or scripts performing rapid connections to multiple services or hosts using auditd and netflow/pcap telemetry.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Traffic Flow (DC0078) | NSM:Flow | Outbound TCP SYN or UDP to multiple ports/hosts |
| Field | Description |
|---|---|
| PortScanThreshold | Defines number of ports targeted per host within a short period. |
| ToolPatternRegex | Regex to match common scanner arguments (e.g., `nmap -sS`, `nc -zv`). |
| ExpectedScanSources | Trusted IPs or systems performing routine discovery. |
Detects Bonjour-based mDNS enumeration or use of system tools (e.g., dns-sd, nmap) to find active services via multicast probing or targeted scans.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | dns-sd, mDNSResponder, socket activity |
| Process Creation (DC0032) | macos:osquery | process_events |
| Field | Description |
|---|---|
| MDNSServiceQueryPatterns | mDNS queries such as _ssh._tcp.local that may indicate service discovery. |
| UserContext | Adjust alerting based on whether discovery activity originates from a background daemon vs. interactive session. |
| ScanToolList | Expected tools that could trigger mDNS or TCP/UDP scans (e.g., dns-sd, nmap). |
Detects lateral discovery or container breakout attempts using netcat, curl, or custom binaries probing other services within the same namespace or VPC subnet.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | ebpf:syscalls | socket connect |
| Process Creation (DC0032) | ebpf:syscalls | execve |
| Network Traffic Flow (DC0078) | containerd:runtime | container-level outbound traffic events |
| Field | Description |
|---|---|
| ExecutablePath | Custom or renamed versions of tools may use different paths |
| TimeWindow | Aggregation interval for identifying anomalous traffic |
| NetworkDestinationCount | Tunable count of unique destinations to classify discovery |