Forum Discussion

mchhetry14's avatar
mchhetry14
Copper Contributor
Jul 20, 2020

KQL rule to Detect Scanning Activty

I want assistance in building KQL query to detect scanning activity in my network. For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of ...
CliveWatson's avatar
CliveWatson
Former Employee
Jul 21, 2020

mchhetry14 

 

We need to know what Table you are storing the data in for a precise answer?  This is an example for WindowsFirewall table (if you have that?)

 

WindowsFirewall
| summarize count(DestinationIP), count(DestinationPort) by Computer
| where count_DestinationIP > 500 or count_DestinationPort > 500

 

 

Computer count_DestinationIP count_DestinationPort
test1234.corp.microsoft.com 217704 217704

If you have VMconnection (from VM Insights solution) 
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-enable-overview#how-to-enable-azure-monitor-for-vms

note: this shows "less than" 
VMConnection
| summarize count(DestinationIp), count(DestinationPort) by Computer
| where count_DestinationIp < 500 or count_DestinationPort < 500​

Resources