Query Details
Linux Nmap Reconnaissance Detection
Query
//This query detects Nmap reconnaissance activity from Linux systems //Identifies specific nmap commands and their source devices DeviceNetworkEvents | where InitiatingProcessCommandLine contains "nmap" | where InitiatingProcessFolderPath contains "/usr/bin/nmap" | project InitiatingProcessCommandLine, DeviceName, DeviceId, Timestamp
Explanation
This query is designed to identify and track the use of the Nmap tool, which is often used for network reconnaissance, on Linux systems. Here's a simple breakdown of what the query does:
-
Data Source: It looks at network-related events from devices (
DeviceNetworkEvents). -
Filter for Nmap Usage: It specifically searches for events where the command line used includes "nmap" and the tool is located in the typical Linux directory for Nmap (
/usr/bin/nmap). -
Select Information: For each event that matches these criteria, it extracts and displays the following details:
- The exact command line that was used (
InitiatingProcessCommandLine). - The name of the device where the command was run (
DeviceName). - The unique identifier for the device (
DeviceId). - The time when the event occurred (
Timestamp).
- The exact command line that was used (
In summary, this query helps in detecting and analyzing the use of Nmap on Linux systems by providing details about the command usage and the devices involved.
Details
Alexandros Pappas
Released: November 10, 2024
Tables
Keywords
Operators