Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

KQL rule to Detect Scanning Activty

Copper Contributor

I want assistance in building KQL query to detect scanning activity in my network.

For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.

 

Query used in Splunk: 

index=* sourcetype=firewall*

| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip

| where num_dest_port >500 or num_dest_ip >500

 

Please help me to build KQL on this.

 
5 Replies

@mchhetry14 

 

We need to know what Table you are storing the data in for a precise answer?  This is an example for WindowsFirewall table (if you have that?)

 

WindowsFirewall
| summarize count(DestinationIP), count(DestinationPort) by Computer
| where count_DestinationIP > 500 or count_DestinationPort > 500

 

 

Computer count_DestinationIP count_DestinationPort
test1234.corp.microsoft.com 217704 217704

If you have VMconnection (from VM Insights solution) 
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-enable-overview#how-to-enab...

note: this shows "less than" 
VMConnection
| summarize count(DestinationIp), count(DestinationPort) by Computer
| where count_DestinationIp < 500 or count_DestinationPort < 500​

@mchhetry14 @CliveWatson 

 

Based on the question, i think the function should be "dcount", not "count", as distinct IPs/Ports need to be counted.

 

WindowsFirewall
| summarize count(DestinationIP), count(DestinationPort) by Computer
| where count_DestinationIP > 500 or count_DestinationPort > 500

 

should become:

WindowsFirewall
| summarize dcount(DestinationIP), dcount(DestinationPort) by Computer
| where dcount_DestinationIP > 500 or dcount_DestinationPort > 500

Thanks @majo01 - well spotted ;)

I missed the "distinct" word in the question.   

Thank you for assisting me on the query!
Thank you for helping me out