KQL rule to Detect Scanning Activty

%3CLINGO-SUB%20id%3D%22lingo-sub-1532421%22%20slang%3D%22en-US%22%3EKQL%20rule%20to%20Detect%20Scanning%20Activty%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532421%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20assistance%20in%20building%20KQL%20query%20to%20detect%20scanning%20activity%20in%20my%20network.%3C%2FP%3E%3CP%3EFor%20example%20-%20if%20any%20IP%20or%20Host%20is%20trying%20to%20attempt%2Fscan%20more%20than%20500%20distinct%20IPs%20or%20Ports%20in%20short%20interval%20of%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuery%20used%20in%20Splunk%3A%26nbsp%3B%3C%2FP%3E%3CP%3Eindex%3D*%20sourcetype%3Dfirewall*%3C%2FP%3E%3CP%3E%7C%20stats%20dc(dest_port)%20as%20num(dest_port)%20dc(dest_ip)%20as%20num_dest_ip%20by%20src_ip%3C%2FP%3E%3CP%3E%7C%20where%20num_dest_port%20%26gt%3B500%20or%20num_dest_ip%20.500%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20help%20me%20to%20build%20KQL%20on%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I want assistance in building KQL query to detect scanning activity in my network.

For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.

 

Query used in Splunk: 

index=* sourcetype=firewall*

| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip

| where num_dest_port >500 or num_dest_ip .500

 

Please help me to build KQL on this.

1 Reply

Hello @mchhetry14

Sorry to disappoint you but this is the Microsoft Learn community and is not exactly specialized on your topic/question. Although one or the other MCT specialized in this technology could be visiting this community I have the feeling that your question should be posted in the respective community.
Thank you for your understanding. Here is the link to the community:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ct-p/CoreInfrastructureandSe...


Cheers
Rolf
#MCT #LearnWithRolf #TheCloud42