Sentinel Query


Hi everyone, im new to both this forum and Sentinel

Im looking for a KQL query which will detect port scanning.  I have a query which will detect nmap scanning but this only works from devices onboarded to our defender 365 product.  Im looking for non domain devices, connected to our network, scanning IP's for open ports.  I have tried modifying to Paolo alto built in KQL query but dont seem to be able to find the scans im actually doing to try and produce this alert.

Any help would be greatly appreciated


  • 0  

    Hi Jason,

    are you sure you are using NetIQ Sentinel? KQL sounds a lot like Microsoft Sentinel. The query language used in NetIQ Sentinel is Lucene:


  • 0   in reply to klasen

    Net IQ Sentinel does propose KQL on its Elastic Search page


    Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

  • 0   in reply to PascalS

    Have you seen a "Pa(o)lo Alto" built in KQL query in Sentinel's ES?

    BTW: (By default) only alerts get forwarded into the embedded Elasticsearch in Sentinel. So you could to write a correlation rule (in RuleLG) that detects port scans and creates alerts.