name: "##Firewall_PortScan"
index: graylog_*
type: cardinality
cardinality_field: DEV_LOG_DPORT
timeframe:
minutes: 45
buffer_time:
minutes: 15
max_cardinality: 50
query_key: [DEV_LOG_SRC,DEV_LOG_DST]
filter:
- query:
query_string:
query: '_exists_:DEV_LOG_SRC AND _exists_:DEV_LOG_DST AND _exists_:DEV_LOG_DPORT AND DEV_LOG_DPORT:*'
alert_subject: "[CAR] Firewall PortScan from {0}"
alert_subject_args:
- DEV_LOG_SRC
alert_text_kw:
_index: _index
_id: _id
DEV_LOG_DPORT: DEV_LOG_DPORT
DEV_LOG_SRC: DEV_LOG_SRC
DEV_LOG_DST: DEV_LOG_DST
DEV_LOG_COMPID: DEV_LOG_COMPID
DEV_LOG_TIMESTAMP: DEV_LOG_TIMESTAMP
alert_text: |
#### Detection of a PortScan on Firewall:
- **Firewall Device**: `{DEV_LOG_COMPID}`
- **Source IP**: `{DEV_LOG_SRC}`
- **Destination IP**: `{DEV_LOG_DST}`
- **Destination Port**: `{DEV_LOG_DPORT}`
- **Event Time**: `{DEV_LOG_TIMESTAMP}`
#### Logs details:
- Logs available on [Graylog](https://localhost/graylog/messages/{_index}/{_id}).
alert_text_type: alert_text_only
realert:
hours: 12
alert:
- elastalert_modules.thehive_alerter.TheHiveAlerter
thehive_uri: http://thehive:9000
thehive_auth_file: thehive_acct.yaml
thehive_alert_type: PortScan
thehive_severity: 2
thehive_tlp: 2
thehive_source: Dev
thehive_source_ref: Forcepoint_portscan_{0}
thehive_source_ref_args:
- DEV_LOG_SRC
thehive_artifacts:
- data: DEV_LOG_SRC
datatype: ip
- data: DEV_LOG_DST
datatype: ip
thehive_tags:
- portscan