Forum Discussion

mchhetry14's avatar
mchhetry14
Copper Contributor
Jul 20, 2020

KQL rule to Detect Scanning Activty

I want assistance in building KQL query to detect scanning activity in my network. For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of ...
majo01's avatar
majo01
Brass Contributor
Jul 21, 2020

mchhetry14 CliveWatson 

 

Based on the question, i think the function should be "dcount", not "count", as distinct IPs/Ports need to be counted.

 

WindowsFirewall
| summarize count(DestinationIP), count(DestinationPort) by Computer
| where count_DestinationIP > 500 or count_DestinationPort > 500

 

should become:

WindowsFirewall
| summarize dcount(DestinationIP), dcount(DestinationPort) by Computer
| where dcount_DestinationIP > 500 or dcount_DestinationPort > 500
CliveWatson's avatar
CliveWatson
Former Employee
Jul 21, 2020

Thanks majo01 - well spotted 😉

I missed the "distinct" word in the question.   

  • mchhetry14's avatar
    mchhetry14
    Copper Contributor
    Oct 24, 2020
    Thank you for helping me out

Resources