Hello Experts,
I am trying to detect port scan activity through ESM.
I am trying to detect the port scan activity in simulated environment.
I have a windows server 2008r2 Virtual machine and a windows 7 VM. Both of the VMs are on the same subnet with out any router/firewall in between.
I am initiating a port scan for the target windows server 2008 machine from the windows 7 machine using namp.
I am receiving the windows event 'The firewall has blocked the connection' thorough the agent deployed on the Windows server 2008 VM.
Any suggestions that how am I able to detect the port scan acvtivity via a corelation rule ??
Thanks
FRANK