• State Not Answered
  • Replies replies
    3
  • Subscribers subscribers
    7
  • Views views
    429
  • Users 0 members are here
Related
Options

Sentinel Query

Jason Skaife
 

Hi everyone, im new to both this forum and Sentinel

Im looking for a KQL query which will detect port scanning.  I have a query which will detect nmap scanning but this only works from devices onboarded to our defender 365 product.  Im looking for non domain devices, connected to our network, scanning IP's for open ports.  I have tried modifying to Paolo alto built in KQL query but dont seem to be able to find the scans im actually doing to try and produce this alert.

Any help would be greatly appreciated

Thanks

  • 0  

    Hi Jason,

    are you sure you are using NetIQ Sentinel? KQL sounds a lot like Microsoft Sentinel. The query language used in NetIQ Sentinel is Lucene: www.microfocus.com/.../bvg1rjs.html

    Norbert

  • 0   in reply to klasen

    Net IQ Sentinel does propose KQL on its Elastic Search page

    https://<SentinelServer>:8443/visual-analytics/proxy/app/discover

    Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

  • 0   in reply to PascalS

    Have you seen a "Pa(o)lo Alto" built in KQL query in Sentinel's ES?

    BTW: (By default) only alerts get forwarded into the embedded Elasticsearch in Sentinel. So you could to write a correlation rule (in RuleLG) that detects port scans and creates alerts.

    Norbert

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.