Vendors SCADAfence SCADAfence Platform Network Scanner Detection Alert

Network Scanner Detection Alert

OT/ICS security alert for detected scanning activity

Alert generated when the SCADAfence Platform detects network scanning activity from an asset, indicating potential reconnaissance or malicious behavior in OT/ICS environments

security threat-detection ot-security scanning reconnaissance cef

CEF Format 17 Fields Medium Frequency Generator

Preview Sample View Schema

Overview

Alert generated when an asset is identified as performing network scanning activity, sending requests to multiple assets/ports in the OT network

When Generated:

When an asset scans multiple IP addresses or ports in a short time period
When reconnaissance patterns are detected in OT network traffic
When potentially malicious scanning activity is observed
When legitimate scanning tools are detected (management platforms)

Security Relevance:

High

Compliance:

NIST CSF (Detect) IEC 62443 (Industrial Automation Security) NERC CIP ISA/IEC 62443

Frequency Notes:

Medium frequency - approximately 8-12 alerts per hour during normal operations. Higher frequency during night hours when unauthorized scanning may occur (2.0x multiplier). Lower on weekends (0.3x) as legitimate management activities decrease.

Resources

Documentation

SCADAfence Platform Documentation official
CEF Format Specification reference
ICS/OT Security Best Practices reference

Tools

SCADAfence Platform
OT/ICS security monitoring and threat detection platform
NIST Cybersecurity Framework
Framework for managing OT/ICS cybersecurity risks

Generation Configuration

Base Frequency: 8 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 1.5x

Night Hours Multiplier: 2.0x

Weekend Multiplier: 0.3x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
CEF Version Source: Static value: 0	Integer	Required	`Integer`	CEF format version (always 0)	`0`	—
Device Vendor Source: Static value: SCADAfence	String	Required	—	Vendor of the security device generating the alert	`SCADAfence`	—
Device Product Source: Static value: SCADAfence Platform	String	Required	—	Product name of the security platform	`SCADAfence Platform`	—
Device Version Source: random_weighted() - weighted selection from common versions	String	Required	`Semantic version`	Version of the SCADAfence Platform	`6.5.1.15`	`6.5.1.15` — Version 6.5.1.15 (50% probability) `6.6.0.8` — Version 6.6.0.8 (30% probability) `6.7.2.3` — Version 6.7.2.3 (20% probability)
Signature ID Source: Static value: 1200	Integer	Required	—	Alert type identifier for network scanner detection	`1200`	—
Name Source: Static value: Network Scanner was detected	String	Required	—	Human-readable name of the alert type	`Network Scanner was detected`	—
Severity Source: random_weighted() - 8 (60%), 7 (30%), 9 (10%)	Integer	Required	`Integer 0-10`	Alert severity level (CEF severity scale 0-10)	`8`	`7` — High severity (30% of alerts) `8` — Very high severity (60% of alerts) `9` — Critical severity (10% of alerts)
alert_ip Source: registry.get_random_device().ip_address - from entity registry	String	Required	`IPv4`	IP address of the asset performing scanning activity	`192.168.1.51`	—
site Source: random_weighted() - site assignments or N/A	String	Required	—	Physical site or facility where the scanning asset is located	`Plant-A`	`N/A` — No site assigned (40%) `Plant-A` — Plant A facility (20%) `Facility-B` — Facility B (20%) `Site-1` — Site 1 (20%)
alert_seq Source: random_int(1, 99999) - unique alert ID	Integer	Required	`Integer`	Unique sequential alert identifier	`81`	—
status Source: random_weighted() - alert lifecycle status	String	Required	—	Current status of the alert in the workflow	`CREATED`	`CREATED` — Newly created alert (40%) `IN_PROGRESS` — Alert under investigation (30%) `RESOLVED` — Alert resolved (20%) `ACKNOWLEDGED` — Alert acknowledged by analyst (10%)
createdOn Source: created_time \| format_datetime() - current time minus random offset	DateTime	Required	`YYYY-MM-DD HH:MM:SS`	Timestamp when the alert was first created	`2021-09-13 20:40:20`	—
updatedOn Source: updated_time \| format_datetime() - recent update time	DateTime	Required	`YYYY-MM-DD HH:MM:SS`	Timestamp of the last update to the alert	`2021-09-13 20:41:16`	—
details Source: Dynamically constructed with alert_ip from device registry	String	Required	—	Detailed description of the detected scanning activity	`Asset 192.168.1.51 was identified as a network scanner, sending requests to too many assets/ports`	—
explanation Source: Static guidance text for this alert type	String	Required	—	Technical explanation of why this activity is concerning and what it might indicate	`This asset has been identified as doing scanning activity...`	—
remediation Source: Static remediation guidance for this alert type	String	Required	—	Recommended remediation steps for security analysts	`Please check the asset. If it is a valid scanner...`	—
url Source: Constructed from platform_ip and alert_seq	String	Required	`URL`	Direct URL to view the alert in the SCADAfence Platform UI	`https://192.168.1.234/alerts/81`	—

Details

Fields

Medium

Frequency

Feedback

No ratings yet