Detect horizontal / vertical port scans
Hi everyone,
i recently installed Greenbone OpenVAS and performed a port scan in the servers subnet (all have Defender installed). I would have expected an alert but .. nothing. Just an IIS server had some bad logins.
I then hunted for the remote IP and used this query
DeviceNetworkEvents
| where Timestamp > ago(1d) and RemoteIP startswith “172.20.100.100”
| summarize
by RemoteIP, DeviceName, RemotePort
| summarize RemotePortCount=dcount(RemotePort) by DeviceName, RemoteIP
Got 31 hosts back where Greenbone connected to within 1h.
Is there a detection for this anyway? And if yes – how high is the threshold?
BR
Stephan
Hi everyone, i recently installed Greenbone OpenVAS and performed a port scan in the servers subnet (all have Defender installed). I would have expected an alert but .. nothing. Just an IIS server had some bad logins. I then hunted for the remote IP and used this queryDeviceNetworkEvents
| where Timestamp > ago(1d) and RemoteIP startswith “172.20.100.100”
| summarize
by RemoteIP, DeviceName, RemotePort
| summarize RemotePortCount=dcount(RemotePort) by DeviceName, RemoteIP Got 31 hosts back where Greenbone connected to within 1h. Is there a detection for this anyway? And if yes – how high is the threshold? BRStephan Read More