Scribd
Upload
78 views

Port Scan Detection

A port scanner was detected from source IP 10.10.61.189 scanning destination IP 2.1.1.4. The scan occurred over 1 minute and 2 seconds, generating 1 event. The source IP has been involved in 8 previous offenses targeting various destinations. The detection was made by a custom rule engine monitoring for port scanner behavior.

Uploaded by

Islam Atallah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
78 views

Port Scan Detection

A port scanner was detected from source IP 10.10.61.189 scanning destination IP 2.1.1.4. The scan occurred over 1 minute and 2 seconds, generating 1 event. The source IP has been involved in 8 previous offenses targeting various destinations. The detection was made by a custom rule engine monitoring for port scanner behavior.

Uploaded by

Islam Atallah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

12/13/22, 3:00 PM Offense

Offense 739

Magnitude Status Relevance 5 Severity 1 Credibility 0

Offense Type Event Name


Description Port Scanner Detection
Event/Flow count 1 events and 0 flows in 1 categories

Source IP(s) 10.10.61.189 Start Dec 13, 2022, 2:58:41 PM

Destination IP(s) 2.1.1.4  Duration 1m 2s

Network(s) Air-Gapped.HQ Assigned to Unassigned

Offense Source Summary

Event Name Port Scanner Detection

High Level Category Access Low Level Category Access Denied

Severity 1

Offenses 1 Events/Flows 1

Last 5 Notes

Notes Username Creation Date

No results were returned.

Last 5 Search Results

Magnitude Started On Ended On Duration Events/Flows

No results were returned.

Top 5 Source IPs


Last
Source IP Magnitude Location Vulnerability User MAC Weight Offenses Destination(s) Events/Flows
Event/Flow
Unknown
10.10.61.189  Air-Gapped.Branches No Unknown 0 8 100 50s 57,781
NIC

Top 5 Destination IPs


Last
Destination IP Magnitude Location Vulnerability Chained User MAC Weight Offenses Source(s) Events/Flows
Event/Flow
 Air- Unknown
2.1.1.4 No No Unknown 0 12 8 50s 58,872
Gapped.HQ NIC

Top 5 Log Sources

Name Description Group Events Offenses Total Events


Custom Rule Engine-8 :: Qradar Custom Rule Engine 1 637 47,744

Top 5 Users

https://10.10.30.84/console/qradar/jsp/QRadar.jsp 1/2
12/13/22, 3:00 PM Offense

Name Events/Flows Offenses Total Events/Flows

No results were returned.

Top 5 Categories

Name Magnitude Local Destination Count Events/Flows First Event/Flow Last Event/Flow    
Access Denied 1 1 Dec 13, 2022, 2:59:43 PM Dec 13, 2022, 2:59:43 PM

Last 10 Events

Event Name Magnitude Log Source Category Destination Destination IPv6 Dst Port Time
Custom Rule Engine-8 :: Dec 13, 2022,
Port Scanner Detection Access Denied 2.1.1.4 0:0:0:0:0:0:0:0 57096
Qradar 2:59:43 PM

Last 10 Flows

Application Source IP Source IPv6 Source Port Destination IP Destination IPv6 Destination Port Total Bytes Last Packet Time

No results were returned.

Top 5 Annotations

Annotation Time Weight


Dec 13, 2022,
"CRE Event".  CRE Rule description:  [Port Scanner Detection] Port Scanner Detection 6
3:00:11 PM
[Port Scanner Detection] "Offense Renamed".  This offense has been renamed to "Port Scanner Detection" by user request, based on an Event Rule that has fired.
Dec 13, 2022,
 Typically this is done because a particular sequence of recognizable and important security events has been detected, and the offense has been named 1
3:00:11 PM
accordingly.
Dec 13, 2022,
"Offense Chaining".  This source IP currently has 3 other source active on the network. 1
3:00:11 PM
Dec 13, 2022,
"Offense Chaining".  This offense has 0 destinations (destination IPs), which are the source (attacker)in other offenses 0
3:00:11 PM

https://10.10.30.84/console/qradar/jsp/QRadar.jsp 2/2

You might also like