ATH Example: Blocking a Port Scanning Source IP

This topic describes how to create an ATH playbook that notifies you when a source IP is detected pinging a specified destination IP on more than 20 destination ports. This is known as port scanning and is a common technique used to identify open ports on a target host.

This example also provides a demonstration of how to use nested calculations in an ATH playbook.

Configure the Alert

We will create an alert that runs a query every 5 minutes on the Traffic index.

To create the alert:

  1. Navigate to Respond | Automation and click the Create button to add a playbook.
  2. Enter a name for the playbook. We entered Port-Scan-Block.
  3. Set the Schedule type to interval.
  4. Set it to run every five minutes over all selected tenants.
  5. Leave Mute disabled.
  6. Choose the tenants and tenant groups on which to run. We chose All Tenants.
  7. Set the index to Traffic.
  8. Leave the Rule Type as Query.

Build a Query

We want a query that looks for new documents with a dstip of 10.16.8.131. This is the IP address that we are concerned is the target of port scan attacks.

To build the query:

  1. Click New Query. The screen changes to Build a Query.
  2. Enter a Query Name. We used Port Scan.
  3. Leave Condition Type set to AND and click Add Condition.
  4. Select dstip from the Field dropdown.
  5. Leave the Operator set to is.
  6. Set Value to 10.16.8.131.
  7. Click Save to save your query.

Add Calculations to the Query

Next, we will build a series of nested calculations that ensure we're matching the top five source IP addresses that are pinging 10.16.8.131 on more than 20 destination ports.

To add the nested calculations:

  1. Click Calculations to enable them, changing the slider to green.

  2. Click the + button to add a calculation.

  3. Our top-level calculation matches the top five source IP addresses sending to 10.16.8.131:

    1. Supply a Name. We used 1st_srcip_agg.

    2. Leave Calculation type set to Top.

    3. Set the Field to calculate on dropdown to srcip.

    4. Leave Calculate By set to count.

    5. Set Size to 5. We will match the top five source IP addresses sending to 10.16.8.131.

      Here's where we are so far:

  4. Click Add Subgroup to add a nested calculation for the top destination IP address.

    1. Supply a Name. We used 2nd_dstip_agg.

    2. Leave Calculation type set to Top.

    3. Set the Field to calculate on dropdown to dstip.

    4. Leave Calculate By set to count.

    5. Set Size to 1. We are looking for just one dstip in this query (10.16.8.131). If your query is for multiple dstips, you can set this to a larger size.

      Here's where we are now:

  5. Click Add Subgroup to add a third nested calculation that matches source IPs sending to more than 20 destination ports.

    1. Supply a Name. We used 3rd_dstport_agg.

    2. Set Calculation type to Metric.

    3. Set the Field to calculate on dropdown to dstport.

    4. Set Calculate By to unique count of dstport.

Here's how our playbook looks with all three calculations added:

Configure a Condition

We are looking for hosts pinging 10.16.8.131 on more than 20 ports. To do this, we add a condition that triggers if the count of our third calculation (Result of 3rd_dstport_agg) is greater than or equal to 20.

To configure this condition:

  1. Enter a Condition Name. We entered match.
  2. Select Compare List for the Type.
  3. Set the Comparison to At least one.
  4. Set Field to Result of 3rd_dstport_agg.
  5. Set Operator to is greater than or equal to 20.

Configure Actions

Finally, you must configure a Firewall/Security Switch action to block the IP address when the match condition you configured in the previous section is detected. Refer to Configuring Firewall/Security Switch Actions for details on configuring this type of action. When you have finished, click Submit to add your new playbook to the list.