MEDIUM AWS VPC Flow Logs Port Scanning LTR-0005 ✓ validated

Detect Port Scanning in AWS VPC Flow Logs

MITRE ATT&CK: T1046T1595.001

Sigma Rule

title: AWS VPC Flow — Port Scanning (REJECT fan-out)
id: 7b3e9a42-6c18-4d57-8a21-1f9c4e2d6b05
status: experimental
description: >
  Detects a single source address generating a burst of rejected connections
  across many distinct destination ports in a short window — the signature of a
  horizontal/vertical port scan. REJECT-heavy fan-out from one srcaddr is the
  cheapest reliable network-layer scan indicator.
references:
  - https://attack.mitre.org/techniques/T1046/
author: LogTriage
date: 2026/06/23
logsource:
  product: aws
  service: vpcflow
detection:
  selection:
    action: 'REJECT'
  timeframe: 5m
  condition: selection | count(dstport) by srcaddr > 15
falsepositives:
  - Authorized vulnerability scanners (allowlist source IPs)
  - Load balancer / health-check fan-out
level: medium
tags:
  - attack.discovery
  - attack.reconnaissance
  - attack.t1046

What this rule detects

Port scanning is the network-layer reconnaissance step that precedes most targeted attacks: a single source systematically probes a range of ports to find open services. In AWS VPC Flow Logs it has a clean signature — one srcaddr generating many REJECT flows across many distinct dstport values in a short window.

This Sigma rule fires when a single source produces rejected connections to more than 15 distinct destination ports within 5 minutes.

Detection logic

The discriminator is breadth, by source: count(dstport) by srcaddr over action: REJECT. Scanners blindly probe closed ports, so REJECT-heavy fan-out from one IP is the cheapest reliable indicator. Tune the > 15 distinct-port threshold and 5m window to your environment’s baseline.

For open-service discovery (ACCEPT flows), pair this with service-layer detections. LogTriage’s VPC Flow reconnaissance detection clusters flows by source and surfaces the sweep without a SIEM.

Validated against a real sample

Validated against vpc_flow_malicious.log (shipped with LogTriage): a single source (185.220.101.45) generating REJECT flows across SSH, RDP, and a spread of other destination ports. The rule fires on that sample and stays silent on the matching benign flow log.

False positives

Authorized vulnerability scanners and your own red-team/security scans look identical at the network layer — allowlist their source IPs. Load balancers and health checkers probing many backends can also resemble fan-out; scope by known infrastructure.

Frequently Asked Questions

Why count distinct destination ports rather than total rejected packets?
A scan's signature is breadth — one source touching many different ports — not volume against one port. count(dstport) by srcaddr captures the horizontal/vertical sweep and avoids firing on a single noisy-but-legitimate connection that retries the same port.
REJECT vs ACCEPT — does it matter?
REJECT (the security group / NACL denied the flow) is the strongest scan signal because a scanner blindly probes closed ports. A scan that hits open ports shows as ACCEPT and is better caught by service-layer logs; pairing both gives full coverage.
How does LogTriage score this without a SIEM?
Its VPC Flow parser normalizes REJECT to a 403-equivalent and the session grouper clusters flows by source IP, surfacing wide-port fan-out as a reconnaissance pattern. Upload a flow log and it's flagged automatically.

Related Resources

See this detection run on a real report

Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.