Forum Discussion
KQL rule to Detect Scanning Activty
I want assistance in building KQL query to detect scanning activity in my network.
For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.
Query used in Splunk:
index=* sourcetype=firewall*
| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip
| where num_dest_port >500 or num_dest_ip >500
Based on the question, i think the function should be "dcount", not "count", as distinct IPs/Ports need to be counted.
WindowsFirewall | summarize count(DestinationIP), count(DestinationPort) by Computer | where count_DestinationIP > 500 or count_DestinationPort > 500
should become:
WindowsFirewall| summarize dcount(DestinationIP), dcount(DestinationPort) by Computer| where dcount_DestinationIP > 500 or dcount_DestinationPort > 500- Thank you for assisting me on the query!
- CliveWatson
Microsoft
Thanks majo01 - well spotted 😉
I missed the "distinct" word in the question.
- Thank you for helping me out
- CliveWatson
We need to know what Table you are storing the data in for a precise answer? This is an example for WindowsFirewall table (if you have that?)
WindowsFirewall | summarize count(DestinationIP), count(DestinationPort) by Computer | where count_DestinationIP > 500 or count_DestinationPort > 500Computer count_DestinationIP count_DestinationPort test1234.corp.microsoft.com 217704 217704
If you have VMconnection (from VM Insights solution)
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-enable-overview#how-to-enable-azure-monitor-for-vms
note: this shows "less than"VMConnection | summarize count(DestinationIp), count(DestinationPort) by Computer | where count_DestinationIp < 500 or count_DestinationPort < 500​
