← Back to Explore
splunk_escuAnomaly
Windows Detect Network Scanner Behavior
The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
Detection Query
| tstats `security_content_summariesonly` count values(All_Traffic.action) as action values(All_Traffic.dest) as dest values(All_Traffic.dest_port) as dest_port values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dvc) as dvc values(All_Traffic.direction) as direction values(All_Traffic.protocol) as protocol values(All_Traffic.protocol_version) as protocol_version values(All_Traffic.src_port) as src_port values(All_Traffic.transport) as transport dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by All_Traffic.app All_Traffic.src All_Traffic.src_ip All_Traffic.user All_Traffic.vendor_product _time span=5m | `drop_dm_object_name(All_Traffic)` | rex field=app ".*\\\(?<process_name>.*)$" | where port_count > 10 OR dest_count > 10 | stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by user,app,process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_detect_network_scanner_behavior_filter`Author
Steven Dick
Created
2026-03-10
Data Sources
Sysmon EventID 3
Tags
Network DiscoveryWindows Discovery Techniques
Raw Content
name: Windows Detect Network Scanner Behavior
id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7
version: 7
date: '2026-03-10'
author: Steven Dick
status: production
type: Anomaly
description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
data_source:
- Sysmon EventID 3
search: '| tstats `security_content_summariesonly` count values(All_Traffic.action) as action values(All_Traffic.dest) as dest values(All_Traffic.dest_port) as dest_port values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dvc) as dvc values(All_Traffic.direction) as direction values(All_Traffic.protocol) as protocol values(All_Traffic.protocol_version) as protocol_version values(All_Traffic.src_port) as src_port values(All_Traffic.transport) as transport dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by All_Traffic.app All_Traffic.src All_Traffic.src_ip All_Traffic.user All_Traffic.vendor_product _time span=5m | `drop_dm_object_name(All_Traffic)` | rex field=app ".*\\\(?<process_name>.*)$" | where port_count > 10 OR dest_count > 10 | stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by user,app,process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_detect_network_scanner_behavior_filter`'
how_to_implement: This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel.
known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed.
references:
- https://attack.mitre.org/techniques/T1595
drilldown_searches:
- name: View the detection results for - "$src$" and "$user$"
search: '%original_detection_search% | search src = "$src$" user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$
risk_objects:
- field: src
type: system
score: 20
- field: user
type: user
score: 20
threat_objects:
- field: process_name
type: process_name
tags:
analytic_story:
- Network Discovery
- Windows Discovery Techniques
asset_type: Endpoint
mitre_attack_id:
- T1595.001
- T1595.002
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog