KQL rule to Detect Scanning Activty

%3CLINGO-SUB%20id%3D%22lingo-sub-1533888%22%20slang%3D%22en-US%22%3EKQL%20rule%20to%20Detect%20Scanning%20Activty%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533888%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20assistance%20in%20building%20KQL%20query%20to%20detect%20scanning%20activity%20in%20my%20network.%3C%2FP%3E%3CP%3EFor%20example%20-%20if%20any%20IP%20or%20Host%20is%20trying%20to%20attempt%2Fscan%20more%20than%20500%20distinct%20IPs%20or%20Ports%20in%20short%20interval%20of%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuery%20used%20in%20Splunk%3A%26nbsp%3B%3C%2FP%3E%3CP%3Eindex%3D*%20sourcetype%3Dfirewall*%3C%2FP%3E%3CP%3E%7C%20stats%20dc(dest_port)%20as%20num(dest_port)%20dc(dest_ip)%20as%20num_dest_ip%20by%20src_ip%3C%2FP%3E%3CP%3E%7C%20where%20num_dest_port%20%26gt%3B500%20or%20num_dest_ip%20%26gt%3B500%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22lia-message-body%20lia-component-message-view-widget-body%20lia-component-body-signature-highlight-escalation%20lia-component-message-view-widget-body-signature-highlight-escalation%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3EPlease%20help%20me%20to%20build%20KQL%20on%20this.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22AddMessageTags%20lia-message-tags%20lia-component-message-view-widget-tags%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535000%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20rule%20to%20Detect%20Scanning%20Activty%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535000%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F733458%22%20target%3D%22_blank%22%3E%40mchhetry14%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20need%20to%20know%20what%20Table%20you%20are%20storing%20the%20data%20in%20for%20a%20precise%20answer%3F%26nbsp%3B%20This%20is%20an%20example%20for%20WindowsFirewall%20table%20(if%20you%20have%20that%3F)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EWindowsFirewall%0A%7C%20summarize%20count(DestinationIP)%2C%20count(DestinationPort)%20by%20Computer%0A%7C%20where%20count_DestinationIP%20%26gt%3B%20500%20or%20count_DestinationPort%20%26gt%3B%20500%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%20cellspacing%3D%221%22%20cellpadding%3D%225%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTH%3EComputer%3C%2FTH%3E%0A%3CTH%3Ecount_DestinationIP%3C%2FTH%3E%0A%3CTH%3Ecount_DestinationPort%3C%2FTH%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3Etest1234.corp.microsoft.com%3C%2FTD%3E%0A%3CTD%3E217704%3C%2FTD%3E%0A%3CTD%3E217704%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CBR%20%2F%3EIf%20you%20have%20%3CSTRONG%3EVMconnection%3C%2FSTRONG%3E%20(from%20VM%20Insights%20solution)%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fvminsights-enable-overview%23how-to-enable-azure-monitor-for-vms%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fvminsights-enable-overview%23how-to-enable-azure-monitor-for-vms%3C%2FA%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CBR%20%2F%3Enote%3A%20this%20shows%20%22less%20than%22%26nbsp%3B%3CBR%20%2F%3E%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EVMConnection%0A%7C%20summarize%20count(DestinationIp)%2C%20count(DestinationPort)%20by%20Computer%0A%7C%20where%20count_DestinationIp%20%26lt%3B%20500%20or%20count_DestinationPort%20%26lt%3B%20500%E2%80%8B%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535258%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20rule%20to%20Detect%20Scanning%20Activty%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535258%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F733458%22%20target%3D%22_blank%22%3E%40mchhetry14%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBased%20on%20the%20question%2C%20i%20think%20the%20function%20should%20be%20%22dcount%22%2C%20not%20%22count%22%2C%20as%20distinct%20IPs%2FPorts%20need%20to%20be%20counted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EWindowsFirewall%0A%7C%20summarize%20count(DestinationIP)%2C%20count(DestinationPort)%20by%20Computer%0A%7C%20where%20count_DestinationIP%20%26gt%3B%20500%20or%20count_DestinationPort%20%26gt%3B%20500%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eshould%20become%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EWindowsFirewall%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20dcount(DestinationIP)%2C%20dcount(DestinationPort)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20dcount_DestinationIP%20%26gt%3B%20%3C%2FSPAN%3E%3CSPAN%3E500%3C%2FSPAN%3E%20%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%20dcount_DestinationPort%20%26gt%3B%20%3C%2FSPAN%3E%3CSPAN%3E500%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535294%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20rule%20to%20Detect%20Scanning%20Activty%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535294%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F540154%22%20target%3D%22_blank%22%3E%40majo01%3C%2FA%3E%26nbsp%3B-%20well%20spotted%20%3B)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3EI%20missed%20the%20%22distinct%22%20word%20in%20the%20question.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I want assistance in building KQL query to detect scanning activity in my network.

For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.

 

Query used in Splunk: 

index=* sourcetype=firewall*

| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip

| where num_dest_port >500 or num_dest_ip >500

 

Please help me to build KQL on this.

 
3 Replies
Highlighted

@mchhetry14 

 

We need to know what Table you are storing the data in for a precise answer?  This is an example for WindowsFirewall table (if you have that?)

 

WindowsFirewall
| summarize count(DestinationIP), count(DestinationPort) by Computer
| where count_DestinationIP > 500 or count_DestinationPort > 500

 

 

Computer count_DestinationIP count_DestinationPort
test1234.corp.microsoft.com 217704 217704

If you have VMconnection (from VM Insights solution) 
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-enable-overview#how-to-enab...

note: this shows "less than" 
VMConnection
| summarize count(DestinationIp), count(DestinationPort) by Computer
| where count_DestinationIp < 500 or count_DestinationPort < 500​
Highlighted

@mchhetry14 @Clive Watson 

 

Based on the question, i think the function should be "dcount", not "count", as distinct IPs/Ports need to be counted.

 

WindowsFirewall
| summarize count(DestinationIP), count(DestinationPort) by Computer
| where count_DestinationIP > 500 or count_DestinationPort > 500

 

should become:

WindowsFirewall
| summarize dcount(DestinationIP), dcount(DestinationPort) by Computer
| where dcount_DestinationIP > 500 or dcount_DestinationPort > 500
Highlighted

Thanks @majo01 - well spotted ;)

I missed the "distinct" word in the question.