kqlElastic-2.0from elastic/detection-rules
Potential Network Sweep Detected
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/network/discovery_potential_network_sweep_detected.toml
event.action:(network_flow or flow_started) and destination.port:(21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)