Linux Nmap Reconnaissance Detection
Query
//This query detects Nmap reconnaissance activity from Linux systems
//Identifies specific nmap commands and their source devices
DeviceNetworkEvents
| where InitiatingProcessCommandLine contains "nmap"
| where InitiatingProcessFolderPath contains "/usr/bin/nmap"
| project InitiatingProcessCommandLine, DeviceName, DeviceId, TimestampExplanation
This query is designed to identify and track the use of the Nmap tool, which is often used for network reconnaissance, on Linux systems. Here's a simple breakdown of what the query does:
-
Data Source: It looks at network-related events from devices (
DeviceNetworkEvents). -
Filter for Nmap Usage: It specifically searches for events where the command line used includes "nmap" and the tool is located in the typical Linux directory for Nmap (
/usr/bin/nmap). -
Select Information: For each event that matches these criteria, it extracts and displays the following details:
- The exact command line that was used (
InitiatingProcessCommandLine). - The name of the device where the command was run (
DeviceName). - The unique identifier for the device (
DeviceId). - The time when the event occurred (
Timestamp).
- The exact command line that was used (
In summary, this query helps in detecting and analyzing the use of Nmap on Linux systems by providing details about the command usage and the devices involved.
Details

Alexandros Pappas
Released: November 10, 2024
Tables
Keywords
Operators