cscli scenarios install a1ad/mikrotik-scan-multi_portsDetects a port scan : detects if a single IP attempts connection to many different ports.
Leakspeed of 5s, capacity of 15.
1type: leaky2name: a1ad/mikrotik-scan-multi_ports3description: "Detect port scanning from single ip on MikroTik router"4filter: "evt.Meta.log_type == 'mikrotik_drop' && evt.Meta.service == 'tcp_udp'"5groupby: evt.Meta.source_ip6distinct: evt.Parsed.dst_port7capacity: 158leakspeed: 5s9blackhole: 1m10labels:11 service: mikrotik12 behavior: "tcp:scan"13 classification:14 - attack.T1595.00115 - attack.T101816 - attack.T104617 spoofable: 218 confidence: 119 label: "MikroTik Port Scanning"20 remediation: true21