kqlElastic-2.0from elastic/detection-rules
Potential SYN-Based Port Scan Detected
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/network/discovery_potential_syn_port_scan_detected.toml
event.action:(network_flow or flow_started) and destination.port:* and network.packets <= 2 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)