Forum Discussion
Daily "Network Port Sweep detected on port x" but no Source IP
For a couple of months we have been getting "Network Port Sweep was detection by multiple IPs" with ports 135 and 445 mostly. The KQL attached lists a load of Destination IPs but no Source IP (see ex...
Hello, are you saying there is no SOURCE IP column/or its blank or just that your query isnt displaying it? Currently as you are summarising the data you are only seeing the columns you name.
There are some ideas in this query, to get you started
let lookback = 1h;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback), endtime=now())
| where NetworkDirection =~ "Inbound"
| where ipv4_is_private(SrcIpAddr)==false
| distinct SrcIpAddr, DstIpAddr, DvcHostname, DstPortNumber
| extend country_=geo_info_from_ip_address(SrcIpAddr)
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-set-aggregation-function
as you are using make-set with 100 you get 100 random values, lets say you have 200 results you maybe missing something in the 100 you are dropping
There are some ideas in this query, to get you started
let lookback = 1h;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback), endtime=now())
| where NetworkDirection =~ "Inbound"
| where ipv4_is_private(SrcIpAddr)==false
| distinct SrcIpAddr, DstIpAddr, DvcHostname, DstPortNumber
| extend country_=geo_info_from_ip_address(SrcIpAddr)
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-set-aggregation-function
as you are using make-set with 100 you get 100 random values, lets say you have 200 results you maybe missing something in the 100 you are dropping
Clive_Watson Hi, there’s no source IP. The query running is one built into Sentinel.
I shall try running your query. Thanks for the feedback.
Hey MarcusBoyce, just wondering if you were able to solve this? I have the same issue.
