← Back to Explore
splunk_escuTTP
Internal Horizontal Port Scan
This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.
Detection Query
| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port) as src_port count FROM datamodel=Network_Traffic
WHERE All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
BY All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip
All_Traffic.transport All_Traffic.rule span=1s
_time
| `drop_dm_object_name("All_Traffic")`
| eval gtime=_time
| bin span=1h gtime
| stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip dest_port gtime
transport
| where totalDestIPCount>=250
| eval dest_port=transport + "/" + dest_port
| stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip gtime
| fields - gtime
| `internal_horizontal_port_scan_filter`Author
Dean Luxton
Data Sources
AWS CloudWatchLogs VPCflowCisco Secure Firewall Threat Defense Connection Event
Raw Content
name: Internal Horizontal Port Scan
id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1
version: 14
creation_date: '2024-07-01'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: TTP
description: This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.
data_source:
- AWS CloudWatchLogs VPCflow
- Cisco Secure Firewall Threat Defense Connection Event
search: |-
| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port) as src_port count FROM datamodel=Network_Traffic
WHERE All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
BY All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip
All_Traffic.transport All_Traffic.rule span=1s
_time
| `drop_dm_object_name("All_Traffic")`
| eval gtime=_time
| bin span=1h gtime
| stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip dest_port gtime
transport
| where totalDestIPCount>=250
| eval dest_port=transport + "/" + dest_port
| stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip gtime
| fields - gtime
| `internal_horizontal_port_scan_filter`
how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to enable this search effectively.
known_false_positives: No false positives have been identified at this time.
references: []
drilldown_searches:
- name: View the detection results for - "$src_ip$"
search: '%original_detection_search% | search src_ip = "$src_ip$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs
entity:
field: dest_ports
type: system
score: 50
threat_objects:
- field: src_ip
type: ip_address
analytic_story:
- Network Discovery
- Cisco Secure Firewall Threat Defense Analytics
- China-Nexus Threat Activity
- Scattered Lapsus$ Hunters
asset_type: Endpoint
mitre_attack_id:
- T1046
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: network
security_domain: network
tests:
- name: AWS CloudWatch True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log
source: aws:cloudwatchlogs:vpcflow
sourcetype: aws:cloudwatchlogs:vpcflow
test_type: unit
- name: Cisco Secure Firewall True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
source: not_applicable
sourcetype: cisco:sfw:estreamer
test_type: unit