Log Search Help

antmar904 · September 3, 2024, 5:23pm

Hi

Is there a query that can be used to search for discovery scanning? I know I can use the Endpoint Activity “Process Start Events” to search for certain scanning programs like “Lansweeper.exe”,“AngryIPscanner.exe”, etc but is there a way to leverage Sysmon logs to actually find endpoint scanning from a NONE managed asset?

TIA and hope that makes sense.

richard_davidsson · September 4, 2024, 11:26am

Best way for detecting network scanning from a non-managed asset would probably be with the Network flow data and some custom detections in that.

antmar904 · September 4, 2024, 12:19pm

Yea I was thinking that.

We are in the process of setting up network sensors hopefully that would help in this.