EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Internal Vulnerability Scan

This analytic detects internal hosts triggering multiple IDS signatures, which may include either more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. Such patterns can indicate active vulnerability scanning activities within the network. By monitoring IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, enhancing the network's security posture and preventing potential exploits.

MITRE ATT&CK

T1595.002T1046

Detection Query

| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) as dest_category count FROM datamodel=Intrusion_Detection.IDS_Attacks
  WHERE IDS_Attacks.src IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, high, medium)
  BY IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature
     IDS_Attacks.dest IDS_Attacks.dest_port IDS_Attacks.transport
     span=1s _time
| `drop_dm_object_name("IDS_Attacks")`
| eval gtime=_time
| bin span=1h gtime
| eventstats count as sevCount
  BY severity src
| eventstats count as sigCount
  BY signature src
| eval severity=severity +"("+sevCount+")"
| eval signature=signature +"("+sigCount+")"
| eval dest_port=transport + "/" + dest_port
| stats min(_time) as _time values(action) as action dc(dest) as destCount dc(signature) as sigCount values(signature) values(src_category) as src_category values(dest_category) as dest_category values(severity) as severity values(dest_port) as dest_ports
  BY src gtime
| fields - gtime
| where destCount>25 OR sigCount>25
| `internal_vulnerability_scan_filter`

Author

Dean Luxton

Created

2026-03-10

Tags

Network DiscoveryScattered Lapsus$ Hunters
Raw Content
name: Internal Vulnerability Scan
id: 46f946ed-1c78-4e96-9906-c7a4be15e39b
version: 7
date: '2026-03-10'
author: Dean Luxton
status: experimental
type: TTP
data_source: []
description: This analytic detects internal hosts triggering multiple IDS signatures, which may include either more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. Such patterns can indicate active vulnerability scanning activities within the network. By monitoring IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, enhancing the network's security posture and preventing potential exploits.
search: |-
    | tstats `security_content_summariesonly` values(IDS_Attacks.action) as action values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) as dest_category count FROM datamodel=Intrusion_Detection.IDS_Attacks
      WHERE IDS_Attacks.src IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, high, medium)
      BY IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature
         IDS_Attacks.dest IDS_Attacks.dest_port IDS_Attacks.transport
         span=1s _time
    | `drop_dm_object_name("IDS_Attacks")`
    | eval gtime=_time
    | bin span=1h gtime
    | eventstats count as sevCount
      BY severity src
    | eventstats count as sigCount
      BY signature src
    | eval severity=severity +"("+sevCount+")"
    | eval signature=signature +"("+sigCount+")"
    | eval dest_port=transport + "/" + dest_port
    | stats min(_time) as _time values(action) as action dc(dest) as destCount dc(signature) as sigCount values(signature) values(src_category) as src_category values(dest_category) as dest_category values(severity) as severity values(dest_port) as dest_ports
      BY src gtime
    | fields - gtime
    | where destCount>25 OR sigCount>25
    | `internal_vulnerability_scan_filter`
how_to_implement: For this detection to function effectively, it is essential to ingest IDS/IPS logs that are mapped to the Common Information Model (CIM). These logs provide the necessary security-related telemetry and contextual information needed to accurately identify and analyze potential threats.
known_false_positives: Internal vulnerability scanners will trigger this detection.
references: []
rba:
    message: Large volume of IDS signatures triggered by $src$
    risk_objects:
        - field: src
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Network Discovery
        - Scattered Lapsus$ Hunters
    asset_type: Endpoint
    mitre_attack_id:
        - T1595.002
        - T1046
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network