KQL rule to Detect Scanning Activty

Occasional Contributor

I want assistance in building KQL query to detect scanning activity in my network.

For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.


Query used in Splunk: 

index=* sourcetype=firewall*

| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip

| where num_dest_port >500 or num_dest_ip .500


Please help me to build KQL on this.

1 Reply

Hello @mchhetry14

Sorry to disappoint you but this is the Microsoft Learn community and is not exactly specialized on your topic/question. Although one or the other MCT specialized in this technology could be visiting this community I have the feeling that your question should be posted in the respective community.
Thank you for your understanding. Here is the link to the community:

#MCT #LearnWithRolf #TheCloud42