There was an alert in SIEM regarding suspicious network activity. As ongoing port scan might signalize beginning of penetration testing / hacking attack.
Therefore it is important to keep the evidence and to be able to quickly determine between set of unrelated network events which do not correlate and malicious port scan searching for live systems and opened ports.
Pictures below shows the latter, automated. Tool used for port scan is not disclosed by intention. Neither is disclosed SIEM which was used to observe the activity.
First picture shows packet from source IP in the left, targeting set of destination IP´s (outer circle) with particular port numbers (centre of the picture). On the right there are names of network services represented each by single node.
Detailed view on destination IP and its ports tested by the scan.
Visual of particular port number (SSH in this example) and all destination IP´s which were scanned for that service:
View from source IP. It is the symmetry of the curves that suggests that automated solution was used for the port scan.
Detailed view of destination IP´s represented by the nodes in the circle.
Complex view on port scan.
Simulated view as it would be seen in port scanning tool: