This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sentinel Query

Hi everyone, im new to both this forum and Sentinel

Im looking for a KQL query which will detect port scanning.  I have a query which will detect nmap scanning but this only works from devices onboarded to our defender 365 product.  Im looking for non domain devices, connected to our network, scanning IP's for open ports.  I have tried modifying to Paolo alto built in KQL query but dont seem to be able to find the scans im actually doing to try and produce this alert.

Any help would be greatly appreciated


Parents Reply
  • Have you seen a "Pa(o)lo Alto" built in KQL query in Sentinel's ES?

    BTW: (By default) only alerts get forwarded into the embedded Elasticsearch in Sentinel. So you could to write a correlation rule (in RuleLG) that detects port scans and creates alerts.


No Data