LoFP / expected if you legitimately use the advanced ip or port scanner utilities in your environement.

Techniques

• t1590

Sample rules

PUA - Advanced IP/Port Scanner Update Check

• source: sigma
• technicques:
  • t1590

Description

Detect the update check performed by Advanced IP/Port Scanner utilities.

Detection logic

condition: selection
selection:
  c-uri-query|contains|all:
  - lng=
  - ver=
  - beta=
  - type=
  - rmode=
  - product=
  c-uri|contains: /checkupdate.php