This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sentinel Query

Hi everyone, im new to both this forum and Sentinel

Im looking for a KQL query which will detect port scanning.  I have a query which will detect nmap scanning but this only works from devices onboarded to our defender 365 product.  Im looking for non domain devices, connected to our network, scanning IP's for open ports.  I have tried modifying to Paolo alto built in KQL query but dont seem to be able to find the scans im actually doing to try and produce this alert.

Any help would be greatly appreciated

Thanks

  • 0  

    Hi Jason,

    are you sure you are using NetIQ Sentinel? KQL sounds a lot like Microsoft Sentinel. The query language used in NetIQ Sentinel is Lucene: www.microfocus.com/.../bvg1rjs.html

  • 0 in reply to   

    Net IQ Sentinel does propose KQL on its Elastic Search page

    https://<SentinelServer>:8443/visual-analytics/proxy/app/discover

    Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

  • 0   in reply to 

    Have you seen a "Pa(o)lo Alto" built in KQL query in Sentinel's ES?

    BTW: (By default) only alerts get forwarded into the embedded Elasticsearch in Sentinel. So you could to write a correlation rule (in RuleLG) that detects port scans and creates alerts.