Detect Port Scanning in AWS VPC Flow Logs
Sigma Rule
title: AWS VPC Flow — Port Scanning (REJECT fan-out)
id: 7b3e9a42-6c18-4d57-8a21-1f9c4e2d6b05
status: experimental
description: >
Detects a single source address generating a burst of rejected connections
across many distinct destination ports in a short window — the signature of a
horizontal/vertical port scan. REJECT-heavy fan-out from one srcaddr is the
cheapest reliable network-layer scan indicator.
references:
- https://attack.mitre.org/techniques/T1046/
author: LogTriage
date: 2026/06/23
logsource:
product: aws
service: vpcflow
detection:
selection:
action: 'REJECT'
timeframe: 5m
condition: selection | count(dstport) by srcaddr > 15
falsepositives:
- Authorized vulnerability scanners (allowlist source IPs)
- Load balancer / health-check fan-out
level: medium
tags:
- attack.discovery
- attack.reconnaissance
- attack.t1046
What this rule detects
Port scanning is the network-layer reconnaissance step that precedes most targeted attacks: a
single source systematically probes a range of ports to find open services. In AWS VPC Flow Logs it
has a clean signature — one srcaddr generating many REJECT flows across many distinct
dstport values in a short window.
This Sigma rule fires when a single source produces rejected connections to more than 15 distinct destination ports within 5 minutes.
Detection logic
The discriminator is breadth, by source: count(dstport) by srcaddr over action: REJECT.
Scanners blindly probe closed ports, so REJECT-heavy fan-out from one IP is the cheapest reliable
indicator. Tune the > 15 distinct-port threshold and 5m window to your environment’s baseline.
For open-service discovery (ACCEPT flows), pair this with service-layer detections. LogTriage’s VPC Flow reconnaissance detection clusters flows by source and surfaces the sweep without a SIEM.
Validated against a real sample
Validated against vpc_flow_malicious.log (shipped with LogTriage): a single source
(185.220.101.45) generating REJECT flows across SSH, RDP, and a spread of other destination
ports. The rule fires on that sample and stays silent on the matching benign flow log.
False positives
Authorized vulnerability scanners and your own red-team/security scans look identical at the network layer — allowlist their source IPs. Load balancers and health checkers probing many backends can also resemble fan-out; scope by known infrastructure.
Frequently Asked Questions
- Why count distinct destination ports rather than total rejected packets?
- A scan's signature is breadth — one source touching many different ports — not volume against one port. count(dstport) by srcaddr captures the horizontal/vertical sweep and avoids firing on a single noisy-but-legitimate connection that retries the same port.
- REJECT vs ACCEPT — does it matter?
- REJECT (the security group / NACL denied the flow) is the strongest scan signal because a scanner blindly probes closed ports. A scan that hits open ports shows as ACCEPT and is better caught by service-layer logs; pairing both gives full coverage.
- How does LogTriage score this without a SIEM?
- Its VPC Flow parser normalizes REJECT to a 403-equivalent and the session grouper clusters flows by source IP, surfacing wide-port fan-out as a reconnaissance pattern. Upload a flow log and it's flagged automatically.
Related Resources
See this detection run on a real report
Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.