Hosts exhibiting high-volume network queries to specific RemoteIPs, RemotePorts, and Process names may indicate automated network scanning activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance efforts by adversaries before they escalate to data exfiltration or lateral movement.
KQL Query
let remotePortCountThreshold = 10; // Please change the min value, for a host reaching out to remote ports on a remote IP, that you consider to be threshold for a suspicious behavior
DeviceNetworkEvents
| where Timestamp > ago(1d) and RemoteIP startswith "172.16" or RemoteIP startswith "192.168"
| summarize
by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| summarize RemotePortCount=dcount(RemotePort) by DeviceName, RemoteIP, InitiatingProcessFileName
| where RemotePortCount > remotePortCountThreshold
id: 525f2ae5-5d11-4404-a0c5-bbd402c57c3f
name: Discover hosts doing possible network scans
description: |
Looking for high volume queries against a given RemoteIP, per DeviceName, RemotePort and Process.
Please change the Timestamp window according your preference/objective, as also the subnet ranges that you want to analyze against.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
let remotePortCountThreshold = 10; // Please change the min value, for a host reaching out to remote ports on a remote IP, that you consider to be threshold for a suspicious behavior
DeviceNetworkEvents
| where Timestamp > ago(1d) and RemoteIP startswith "172.16" or RemoteIP startswith "192.168"
| summarize
by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| summarize RemotePortCount=dcount(RemotePort) by DeviceName, RemoteIP, InitiatingProcessFileName
| where RemotePortCount > remotePortCountThreshold
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Network discovery tool scanning internal subnets
Description: A network discovery tool like Nmap or SolarWinds IP Address Manager is performing a scheduled scan of internal subnets to inventory devices.
Filter/Exclusion: Exclude traffic originating from known network discovery tools or processes, or filter by source IP ranges used for internal network discovery.
Scenario: System update or patching job using mass ping
Description: A scheduled job using ICMP ping (e.g., via PowerShell, Nmap, or MassPing) to check the availability of servers during a patching window.
Filter/Exclusion: Exclude ICMP traffic from known patching or maintenance scripts, or filter by specific source IP addresses associated with system update processes.
Scenario: Database replication or synchronization across multiple nodes
Description: A database replication tool like MySQL Replication, SQL Server Replication, or MongoDB Replica Set is synchronizing data between nodes, resulting in high query volume to remote IPs.
Filter/Exclusion: Exclude traffic from known database replication processes or filter by specific database-related ports (e.g., 3306, 1433, 27017).
Scenario: Log collection from multiple servers using a centralized logging tool
Description: A log aggregation tool like Splunk, ELK Stack, or Graylog is collecting logs from multiple servers, resulting in high volume of queries to a central logging server.
Filter/Exclusion: Exclude traffic from known log collection tools or filter by specific log collection ports (e.g., 9997 for Splunk, 5044 for Fluentd).
Scenario: Scheduled backup job querying remote storage
Description: A backup job using Veeam, **Commvault