Forum Discussion

griggs31's avatar
griggs31
Copper Contributor
Aug 25, 2023

Defender not detecting test Kali Linux devices connected to network

Hello, first time posting here.  Our organization is trying to get more familiar with MS 365 Defender.  Just to see what it would discover, we connected a device running Kali Linux (not domain joined) to our internal LAN network then did some NMAP scans from it against the subnet and one of our servers.  We were thinking we would see Defender trigger some kind of alert but that did not happen.  We are also not seeing this Kali Linux device in the Defender Device Inventory anywhere.  

 

We have our device discovery set to Standard and have the appropriate networks enabled for Monitoring.   Should we be getting some kind of alert of a non-onboarded device doing port scans against other devices in our network?

    • griggs31's avatar
      griggs31
      Copper Contributor
      Thanks for the reply, The Kali machines are connected to the same subnet as the one I was scanning. Trying to simulate a scenario where someone brings a foreign, unmanaged device inside our building and plugs it into our network.
  • Have you checked the Uncategorized Devices, you should also be able to create an alert within the Custom Detection Rules

    A sample alert could be based on logic from the following KQL

    DeviceInfo
    | where MachineGroup == "UnassignedGroup"
    | where DeviceName contains "Kali"
    • griggs31's avatar
      griggs31
      Copper Contributor
      Thanks for the reply. These Kali machines are not showing up in Uncategorized Devices or anywhere in Device Inventory that I can find. I've tried filtering by OS and also by Onboard Status (Insufficient Info, Can be Onboarded, Unsupported)

      I ran several queries in Advanced hunting, similar to what you are suggesting and also looking for DeviceProcessEvents containing "nmap" but still nothing.

Resources