topic Re: How to find network scanners via stealthwatch in Security Analytics

How to find network scanners via stealthwatch

dijix1990 — Tue, 11 Mar 2025 13:05:47 GMT

Hello, I try to use option from stealthwatch to find network scanners. I started ping scan from my PC. After a while I saw that I have Top Security Event for my host Ping_Scan with CI = 590,400, after it I went to Report - Visibility Assessment - Internal Network Scanners and found out that there wasn't my host which did ping scan

Re: How to find network scanners via stealthwatch

David Salter — Mon, 17 Mar 2025 10:07:03 GMT

Is the IP for your PC included in an Inside Host Group?

Re: How to find network scanners via stealthwatch

dijix1990 — Mon, 17 Mar 2025 10:10:47 GMT

yes

Re: How to find network scanners via stealthwatch

David Salter — Mon, 17 Mar 2025 13:51:57 GMT

While a host generating a ping scan (and no other behaviors) will accrue CI points and trigger a High Concern Index alarm, it will not appear in the 'Internal Network Scanners' section of the Visibility Assessment. The Assessment reports on more complex scans where a host is running an address scan or port scan rather than a more simplistic ping sweep.

Re: How to find network scanners via stealthwatch

dijix1990 — Mon, 17 Mar 2025 13:56:29 GMT

So it's very awful and bad. We need to do some researches to find more reliable product

Re: How to find network scanners via stealthwatch

katerina.dardoufa — Thu, 21 Aug 2025 09:10:59 GMT

I have a question that might fall under this conversation... The visibility Assessment shows hosts in my case. They do have a high CI, which isn't triggered by a ping sweep. What is the purpose of "Network Scanners" under Configuration? Is it supposed to show the same "rogue" scanners or is it something totally different? In my case it show "The presumed host query has not run. The next query will run at the archive hour. Please check this page again after that time to see any new results.", so I don't know exactly what I am expecting to see.

Re: How to find network scanners via stealthwatch

David Salter — Thu, 21 Aug 2025 10:32:07 GMT

The Network Scanners page highlights all hosts that have been detected as exhibiting scanning behavior. From this page, hosts that are known vulnerability scanners or other tools that exhibit scanning behavior as part of their normal operation (such as SNMP polling tools) can be easily classified as scanners directly from the report using the check box to select multiple hosts or the 'Add' button for individual hosts. If different policies are required for different scanning tools, hosts can be moved to different groups with specific polices set as required.

Other hosts that have been identified can be investigated further and appropriate action can be taken.

A sample screenshot is shown below.

Re: How to find network scanners via stealthwatch

katerina.dardoufa — Fri, 22 Aug 2025 07:07:52 GMT

I have already configured the "Network Scanners" in the host group. Shouldn't these appear in the Network Scanner report? Or if they are already categorized they will not show up?

Does the message "The presumed host query has not run. The next query will run at the archive hour. Please check this page again after that time to see any new results." indicate that something is not working as expected?

Re: How to find network scanners via stealthwatch

Pradyumna14 — Fri, 22 Aug 2025 10:25:21 GMT

You can confirm scanners by checking Hosts → Host Report for detailed flows and security events. If you need faster detection, adjust the scan thresholds in Stealthwatch policy or use custom reports/alarms to flag even short scans. This way, your host activity will also appear in Internal Scanners.

Re: How to find network scanners via stealthwatch

David Salter — Fri, 22 Aug 2025 12:33:22 GMT

If you have not yet applied a policy to the Network Scanners Host Group they will still be reported as scanners. You will need to tune the group to reduce false positives. You may also want to set a 'Low Traffic' threshold too which will alert to scanners not operating as normal.

If you are still seeing the host query message, something is not working as expected. I suggest opening a TAC case so that can be investigated further.