I am trying to configure a rule for a tcp port scan that runs from inside my environment. But the building blocks don't seem to make sense. Can any one help me with respect to this?

------------------------------
Talal Ansari
------------------------------

Hi @Talal Ansari,

I am not sure about what building block you mean but for TCP port scan you can use the folllowing rule logic to detect it.

and when the IP protocol is one of the following TCP
and when the event context is Local to Local
and when at least 15 events are seen with the same Source IP, Destination IP and different Destination Port in 5 minutes

The number of events and time can change based on your requirement. Less time will be more agressive in detecting and may detect false positives.

P.S. Be aware of any scanning tool like vulnerability scanners or inventory tools which legitimately scan the network.

Lert me know if you have any more questions.

------------------------------
Chinmay Kulkarni
------------------------------

Original Message:
Sent: Mon January 20, 2020 06:25 AM
From: Talal Ansari
Subject: Qradar rule

I am trying to configure a rule for a tcp port scan that runs from inside my environment. But the building blocks don't seem to make sense. Can any one help me with respect to this?

------------------------------
Talal Ansari
------------------------------

Thank you :)
I will configure this on Sunday and exclude all the scanner and network devices while configuring the rule

------------------------------
Talal Ansari
------------------------------

Original Message:
Sent: Thu January 23, 2020 07:44 AM
From: Chinmay Kulkarni
Subject: Qradar rule

Hi @Talal Ansari,

I am not sure about what building block you mean but for TCP port scan you can use the folllowing rule logic to detect it.

and when the IP protocol is one of the following TCP
and when the event context is Local to Local
and when at least 15 events are seen with the same Source IP, Destination IP and different Destination Port in 5 minutes

The number of events and time can change based on your requirement. Less time will be more agressive in detecting and may detect false positives.

P.S. Be aware of any scanning tool like vulnerability scanners or inventory tools which legitimately scan the network.

Lert me know if you have any more questions.

------------------------------
Chinmay Kulkarni

Original Message:
Sent: Mon January 20, 2020 06:25 AM
From: Talal Ansari
Subject: Qradar rule

I am trying to configure a rule for a tcp port scan that runs from inside my environment. But the building blocks don't seem to make sense. Can any one help me with respect to this?

------------------------------
Talal Ansari
------------------------------