I want assistance in building KQL query to detect scanning activity in my network.
For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.
Query used in Splunk:
| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip
| where num_dest_port >500 or num_dest_ip .500
Please help me to build KQL on this.
Sorry to disappoint you but this is the Microsoft Learn community and is not exactly specialized on your topic/question. Although one or the other MCT specialized in this technology could be visiting this community I have the feeling that your question should be posted in the respective community.Thank you for your understanding. Here is the link to the community:https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ct-p/CoreInfrastructureandSe...
CheersRolf#MCT #LearnWithRolf #TheCloud42