Jul 19 2020
I want assistance in building KQL query to detect scanning activity in my network.
For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.
Query used in Splunk:
| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip
| where num_dest_port >500 or num_dest_ip .500
Please help me to build KQL on this.
Jul 20 2020
Sorry to disappoint you but this is the Microsoft Learn community and is not exactly specialized on your topic/question. Although one or the other MCT specialized in this technology could be visiting this community I have the feeling that your question should be posted in the respective community.Thank you for your understanding. Here is the link to the community:https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ct-p/CoreInfrastructureandSe...
CheersRolf#MCT #LearnWithRolf #TheCloud42