Skip to main content
Version: 7.4

Port Scan

Port Scan

Identifying a Port Scan is crucial in the realm of network security, as it often represents the initial stage of reconnaissance in potential cyber attacks. In a port scan, attackers systematically check a host for open ports by sending client requests to multiple ports and observing the responses. Open ports can reveal about active services, potentially unveiling vulnerabilities that could be exploited for unauthorized access or malicious activities. Early detection of port scans is therefore vital for preemptive security measures, allowing network administrators to assess and fortify their defenses, close unnecessary ports, and monitor suspected sources for further suspicious activities.

ElastiFlow provides a collection of anomaly detection jobs designed to identify port scans including various monitoring strategies and analytical techniques aimed at detecting the distinctive patterns of such reconnaissance activities.

Attributes

AttributeInformation
Analysis Typepopulation
MITRE ATT&CK TechniqueNetwork Service Scanning (T1046)
MITRE ATT&CK TacticDiscovery (TA0007)

Downloads

SchemaVectorPerspectiveWindowLink
CODEXdirectedgefastelastiflow_codex_netsec_port_scan_direct_edge_fast
CODEXdirectedgeslowelastiflow_codex_netsec_port_scan_direct_edge_slow
CODEXdirectinboundfastelastiflow_codex_netsec_port_scan_direct_in_fast
CODEXdirectinboundslowelastiflow_codex_netsec_port_scan_direct_in_slow
CODEXdirectoutboundfastelastiflow_codex_netsec_port_scan_direct_out_fast
CODEXdirectoutboundslowelastiflow_codex_netsec_port_scan_direct_out_slow
CODEXdirectprivatefastelastiflow_codex_netsec_port_scan_direct_priv_fast
CODEXdirectprivateslowelastiflow_codex_netsec_port_scan_direct_priv_slow
CODEXdistributededgefastelastiflow_codex_netsec_port_scan_distrib_edge_fast
CODEXdistributededgeslowelastiflow_codex_netsec_port_scan_distrib_edge_slow
CODEXdistributedinboundfastelastiflow_codex_netsec_port_scan_distrib_in_fast
CODEXdistributedinboundslowelastiflow_codex_netsec_port_scan_distrib_in_slow
CODEXdistributedoutboundfastelastiflow_codex_netsec_port_scan_distrib_out_fast
CODEXdistributedoutboundslowelastiflow_codex_netsec_port_scan_distrib_out_slow
CODEXdistributedprivatefastelastiflow_codex_netsec_port_scan_distrib_priv_fast
CODEXdistributedprivateslowelastiflow_codex_netsec_port_scan_distrib_priv_slow
ECSdirectedgefastelastiflow_ecs_netsec_port_scan_direct_edge_fast
ECSdirectedgeslowelastiflow_ecs_netsec_port_scan_direct_edge_slow
ECSdirectinboundfastelastiflow_ecs_netsec_port_scan_direct_in_fast
ECSdirectinboundslowelastiflow_ecs_netsec_port_scan_direct_in_slow
ECSdirectoutboundfastelastiflow_ecs_netsec_port_scan_direct_out_fast
ECSdirectoutboundslowelastiflow_ecs_netsec_port_scan_direct_out_slow
ECSdirectprivatefastelastiflow_ecs_netsec_port_scan_direct_priv_fast
ECSdirectprivateslowelastiflow_ecs_netsec_port_scan_direct_priv_slow
ECSdistributededgefastelastiflow_ecs_netsec_port_scan_distrib_edge_fast
ECSdistributededgeslowelastiflow_ecs_netsec_port_scan_distrib_edge_slow
ECSdistributedinboundfastelastiflow_ecs_netsec_port_scan_distrib_in_fast
ECSdistributedinboundslowelastiflow_ecs_netsec_port_scan_distrib_in_slow
ECSdistributedoutboundfastelastiflow_ecs_netsec_port_scan_distrib_out_fast
ECSdistributedoutboundslowelastiflow_ecs_netsec_port_scan_distrib_out_slow
ECSdistributedprivatefastelastiflow_ecs_netsec_port_scan_distrib_priv_fast
ECSdistributedprivateslowelastiflow_ecs_netsec_port_scan_distrib_priv_slow

By deploying this suite of anomaly detection jobs, organizations can effectively identify port scanning activities in their early stages. Prompt detection of port scans allows network administrators to take immediate action, such as reconfiguring firewalls, shutting down unnecessary services, or increasing surveillance on critical assets, thereby enhancing the overall security posture of the network and preventing potential breaches.