Detect horizontal / vertical port scans

Hi everyone,

i recently installed Greenbone OpenVAS and performed a port scan in the servers subnet (all have Defender installed). I would have expected an alert but .. nothing. Just an IIS server had some bad logins.

I then hunted for the remote IP and used this query

DeviceNetworkEvents
| where Timestamp > ago(1d) and RemoteIP startswith "172.20.100.100"
| summarize
    by RemoteIP, DeviceName, RemotePort
| summarize RemotePortCount=dcount(RemotePort) by DeviceName, RemoteIP

Got 31 hosts back where Greenbone connected to within 1h. 

Is there a detection for this anyway? And if yes - how high is the threshold?

BR

Stephan