• State Not Answered
  • Replies replies
    3
  • Subscribers subscribers
    8
  • Views views
    645
  • Users 0 members are here
  • Locked Locked
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sentinel Query

Jason Skaife

Hi everyone, im new to both this forum and Sentinel

Im looking for a KQL query which will detect port scanning.  I have a query which will detect nmap scanning but this only works from devices onboarded to our defender 365 product.  Im looking for non domain devices, connected to our network, scanning IP's for open ports.  I have tried modifying to Paolo alto built in KQL query but dont seem to be able to find the scans im actually doing to try and produce this alert.

Any help would be greatly appreciated

Thanks

Parents Reply
  • 0   in reply to PascalS

    Have you seen a "Pa(o)lo Alto" built in KQL query in Sentinel's ES?

    BTW: (By default) only alerts get forwarded into the embedded Elasticsearch in Sentinel. So you could to write a correlation rule (in RuleLG) that detects port scans and creates alerts.

    Norbert

Children
No Data

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.