← Back to Explore
splunk_escuTTP
Internal Horizontal Port Scan
This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.
MITRE ATT&CK
Detection Query
| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port) as src_port count FROM datamodel=Network_Traffic
WHERE All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
BY All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip
All_Traffic.transport All_Traffic.rule span=1s
_time
| `drop_dm_object_name("All_Traffic")`
| eval gtime=_time
| bin span=1h gtime
| stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip dest_port gtime
transport
| where totalDestIPCount>=250
| eval dest_port=transport + "/" + dest_port
| stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip gtime
| fields - gtime
| `internal_horizontal_port_scan_filter`Author
Dean Luxton
Created
2026-03-10
Data Sources
AWS CloudWatchLogs VPCflowCisco Secure Firewall Threat Defense Connection Event
Tags
Network DiscoveryCisco Secure Firewall Threat Defense AnalyticsChina-Nexus Threat ActivityScattered Lapsus$ Hunters
Raw Content
name: Internal Horizontal Port Scan
id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1
version: 12
date: '2026-03-10'
author: Dean Luxton
status: production
type: TTP
data_source:
- AWS CloudWatchLogs VPCflow
- Cisco Secure Firewall Threat Defense Connection Event
description: This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.
search: |-
| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port) as src_port count FROM datamodel=Network_Traffic
WHERE All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
BY All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip
All_Traffic.transport All_Traffic.rule span=1s
_time
| `drop_dm_object_name("All_Traffic")`
| eval gtime=_time
| bin span=1h gtime
| stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip dest_port gtime
transport
| where totalDestIPCount>=250
| eval dest_port=transport + "/" + dest_port
| stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip gtime
| fields - gtime
| `internal_horizontal_port_scan_filter`
how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to enable this search effectively.
known_false_positives: No false positives have been identified at this time.
references: []
drilldown_searches:
- name: View the detection results for - "$src_ip$"
search: '%original_detection_search% | search src_ip = "$src_ip$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs
risk_objects:
- field: dest_ports
type: system
score: 50
threat_objects:
- field: src_ip
type: ip_address
tags:
analytic_story:
- Network Discovery
- Cisco Secure Firewall Threat Defense Analytics
- China-Nexus Threat Activity
- Scattered Lapsus$ Hunters
asset_type: Endpoint
mitre_attack_id:
- T1046
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: AWS CloudWatch True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log
source: aws:cloudwatchlogs:vpcflow
sourcetype: aws:cloudwatchlogs:vpcflow
- name: Cisco Secure Firewall True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
source: not_applicable
sourcetype: cisco:sfw:estreamer