Forum Discussion
griggs31
Aug 25, 2023Copper Contributor
Defender not detecting test Kali Linux devices connected to network
Hello, first time posting here. Our organization is trying to get more familiar with MS 365 Defender. Just to see what it would discover, we connected a device running Kali Linux (not domain joined...
BillClarksonAntill
Sep 01, 2023Iron Contributor
Have you checked the Uncategorized Devices, you should also be able to create an alert within the Custom Detection Rules
A sample alert could be based on logic from the following KQL
DeviceInfo
| where MachineGroup == "UnassignedGroup"
| where DeviceName contains "Kali"
A sample alert could be based on logic from the following KQL
DeviceInfo
| where MachineGroup == "UnassignedGroup"
| where DeviceName contains "Kali"
griggs31
Sep 01, 2023Copper Contributor
Thanks for the reply. These Kali machines are not showing up in Uncategorized Devices or anywhere in Device Inventory that I can find. I've tried filtering by OS and also by Onboard Status (Insufficient Info, Can be Onboarded, Unsupported)
I ran several queries in Advanced hunting, similar to what you are suggesting and also looking for DeviceProcessEvents containing "nmap" but still nothing.
I ran several queries in Advanced hunting, similar to what you are suggesting and also looking for DeviceProcessEvents containing "nmap" but still nothing.
- rafflmartinJun 04, 2025Copper Contributor
Since you have Kali in your network, I suggest you to run OpenVAS against your servers, instead of NMAP, to force some logs. (NMAP has some vuln scripts but I prefer OpenVAS to force detection logs)
When you run OpenVAS (Greenbone - free) against your servers, it will generate some Defender alerts.
If Defender does not identify the scanner with the machine hostname, it will name it as "Null" (which is annoying from a blue team perspective).
You then can find the exact logs with Advanced Hunting and below KQL code (adjust the parts you need)
let target_server = "use your full target server name here";
search in (IdentityLogonEvents,IdentityQueryEvents,IdentityDirectoryEvents,DeviceProcessEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceRegistryEvents,DeviceLogonEvents,DeviceImageLoadEvents,DeviceEvents,BehaviorEntities)
Timestamp > datetime(2025-06-04 01:09:59.9) //adjust this line with a timestamp that serves you well, GMT time. Put a timestamp a bit before the scanner started running
and (DeviceName == target_server and isnotempty(FailureReason))
or RemoteIP == "your kali IP address in your network"
| project Timestamp, DeviceName, Type, ActionType, Protocol, FailureReason, AccountName, RemoteIP, RemotePort
| take 1000