I want assistance in building KQL query to detect scanning activity in my network.
For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.
Query used in Splunk:
| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip
| where num_dest_port >500 or num_dest_ip .500
Please help me to build KQL on this.