Jul 20 2020 11:52 AM
I want assistance in building KQL query to detect scanning activity in my network.
For example - if any IP or Host is trying to attempt/scan more than 500 distinct IPs or Ports in short interval of time.
Query used in Splunk:
index=* sourcetype=firewall*
| stats dc(dest_port) as num(dest_port) dc(dest_ip) as num_dest_ip by src_ip
| where num_dest_port >500 or num_dest_ip >500
Please help me to build KQL on this.
Jul 21 2020 12:36 AM
We need to know what Table you are storing the data in for a precise answer? This is an example for WindowsFirewall table (if you have that?)
WindowsFirewall
| summarize count(DestinationIP), count(DestinationPort) by Computer
| where count_DestinationIP > 500 or count_DestinationPort > 500
Computer | count_DestinationIP | count_DestinationPort |
---|---|---|
test1234.corp.microsoft.com | 217704 | 217704 |
VMConnection
| summarize count(DestinationIp), count(DestinationPort) by Computer
| where count_DestinationIp < 500 or count_DestinationPort < 500
Jul 21 2020 03:21 AM
Based on the question, i think the function should be "dcount", not "count", as distinct IPs/Ports need to be counted.
WindowsFirewall | summarize count(DestinationIP), count(DestinationPort) by Computer | where count_DestinationIP > 500 or count_DestinationPort > 500
should become:
Jul 21 2020 03:41 AM
Thanks @majo01 - well spotted ;)
I missed the "distinct" word in the question.
Oct 24 2020 12:44 PM