KQL rule to Detect Scanning Activty

mchhetry14 · ‎Jul 19 2020

I want assistance in building KQL query to detect scanning activity in my network.

For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.

Query used in Splunk:

index=* sourcetype=firewall*

| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip

| where num_dest_port >500 or num_dest_ip .500

Please help me to build KQL on this.

Rolf-42 · ‎Jul 20 2020

Hello @mchhetry14

Sorry to disappoint you but this is the Microsoft Learn community and is not exactly specialized on your topic/question. Although one or the other MCT specialized in this technology could be visiting this community I have the feeling that your question should be posted in the respective community.
Thank you for your understanding. Here is the link to the community:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ct-p/CoreInfrastructureandSe...

Cheers
Rolf
#MCT #LearnWithRolf #TheCloud42

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

KQL rule to Detect Scanning Activty

KQL rule to Detect Scanning Activty

Re: KQL rule to Detect Scanning Activty