Forum Discussion

griggs31's avatar
griggs31
Copper Contributor
Aug 25, 2023

Defender not detecting test Kali Linux devices connected to network

Hello, first time posting here.  Our organization is trying to get more familiar with MS 365 Defender.  Just to see what it would discover, we connected a device running Kali Linux (not domain joined...
alerts
microsoft defender for endpoint
BillClarksonAntill's avatar
BillClarksonAntill
Iron Contributor
Sep 01, 2023
Have you checked the Uncategorized Devices, you should also be able to create an alert within the Custom Detection Rules

A sample alert could be based on logic from the following KQL

DeviceInfo
| where MachineGroup == "UnassignedGroup"
| where DeviceName contains "Kali"
griggs31's avatar
griggs31
Copper Contributor
Sep 01, 2023
Thanks for the reply. These Kali machines are not showing up in Uncategorized Devices or anywhere in Device Inventory that I can find. I've tried filtering by OS and also by Onboard Status (Insufficient Info, Can be Onboarded, Unsupported)

I ran several queries in Advanced hunting, similar to what you are suggesting and also looking for DeviceProcessEvents containing "nmap" but still nothing.
  • rafflmartin's avatar
    rafflmartin
    Copper Contributor
    Jun 04, 2025

    Since you have Kali in your network, I suggest you to run OpenVAS against your servers, instead of NMAP, to force some logs. (NMAP has some vuln scripts but I prefer OpenVAS to force detection logs)

    When you run OpenVAS (Greenbone - free) against your servers, it will generate some Defender alerts.

    If Defender does not identify the scanner with the machine hostname, it will name it as "Null" (which is annoying from a blue team perspective).

    You then can find the exact logs with Advanced Hunting and below KQL code (adjust the parts you need)

    let target_server = "use your full target server name here";

    search in (IdentityLogonEvents,IdentityQueryEvents,IdentityDirectoryEvents,DeviceProcessEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceRegistryEvents,DeviceLogonEvents,DeviceImageLoadEvents,DeviceEvents,BehaviorEntities)

    Timestamp > datetime(2025-06-04 01:09:59.9) //adjust this line with a timestamp that serves you well, GMT time. Put a timestamp a bit before the scanner started running

    and (DeviceName == target_server and isnotempty(FailureReason))

     or RemoteIP == "your kali IP address in your network"

    | project Timestamp, DeviceName, Type, ActionType, Protocol, FailureReason, AccountName, RemoteIP, RemotePort

    | take 1000

Resources