Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender not detecting test Kali Linux devices connected to network

Copper Contributor

Hello, first time posting here.  Our organization is trying to get more familiar with MS 365 Defender.  Just to see what it would discover, we connected a device running Kali Linux (not domain joined) to our internal LAN network then did some NMAP scans from it against the subnet and one of our servers.  We were thinking we would see Defender trigger some kind of alert but that did not happen.  We are also not seeing this Kali Linux device in the Defender Device Inventory anywhere.  


We have our device discovery set to Standard and have the appropriate networks enabled for Monitoring.   Should we be getting some kind of alert of a non-onboarded device doing port scans against other devices in our network?

8 Replies
Have you checked the Uncategorized Devices, you should also be able to create an alert within the Custom Detection Rules

A sample alert could be based on logic from the following KQL

| where MachineGroup == "UnassignedGroup"
| where DeviceName contains "Kali"
Thanks for the reply. These Kali machines are not showing up in Uncategorized Devices or anywhere in Device Inventory that I can find. I've tried filtering by OS and also by Onboard Status (Insufficient Info, Can be Onboarded, Unsupported)

I ran several queries in Advanced hunting, similar to what you are suggesting and also looking for DeviceProcessEvents containing "nmap" but still nothing.
Silly question but are the Kali boxes on the same network segment as the rest of your fleet?
Thanks for the reply, The Kali machines are connected to the same subnet as the one I was scanning. Trying to simulate a scenario where someone brings a foreign, unmanaged device inside our building and plugs it into our network.

@griggs31 is your device discovery settings setup like the following?




@griggs31 hmmm


One thing you can try if its not coming up in the defender portal is an network device scan

See documentation below, there is a little bit of setup for this


Network device discovery and vulnerability management | Microsoft Learn


I'm a little bit surprised defender hasn't picked up your Kali box at all, especially in the uncategorized devices list

I tried doing a Network Device Scan but this only discovered network devices (routers, switches, etc). The scan did ping the IP of the Kali Box along with the other endpoints in the subnet but they all came back with "An existing connection was forcibly closed by the remote host"