Forum Discussion
Defender not detecting test Kali Linux devices connected to network
Hello, first time posting here. Our organization is trying to get more familiar with MS 365 Defender. Just to see what it would discover, we connected a device running Kali Linux (not domain joined) to our internal LAN network then did some NMAP scans from it against the subnet and one of our servers. We were thinking we would see Defender trigger some kind of alert but that did not happen. We are also not seeing this Kali Linux device in the Defender Device Inventory anywhere.
We have our device discovery set to Standard and have the appropriate networks enabled for Monitoring. Should we be getting some kind of alert of a non-onboarded device doing port scans against other devices in our network?
12 Replies
- Silly question but are the Kali boxes on the same network segment as the rest of your fleet?
- Thanks for the reply, The Kali machines are connected to the same subnet as the one I was scanning. Trying to simulate a scenario where someone brings a foreign, unmanaged device inside our building and plugs it into our network.
- Have you checked the Uncategorized Devices, you should also be able to create an alert within the Custom Detection Rules
A sample alert could be based on logic from the following KQL
DeviceInfo
| where MachineGroup == "UnassignedGroup"
| where DeviceName contains "Kali"- Thanks for the reply. These Kali machines are not showing up in Uncategorized Devices or anywhere in Device Inventory that I can find. I've tried filtering by OS and also by Onboard Status (Insufficient Info, Can be Onboarded, Unsupported)
I ran several queries in Advanced hunting, similar to what you are suggesting and also looking for DeviceProcessEvents containing "nmap" but still nothing.Since you have Kali in your network, I suggest you to run OpenVAS against your servers, instead of NMAP, to force some logs. (NMAP has some vuln scripts but I prefer OpenVAS to force detection logs)
When you run OpenVAS (Greenbone - free) against your servers, it will generate some Defender alerts.
If Defender does not identify the scanner with the machine hostname, it will name it as "Null" (which is annoying from a blue team perspective).
You then can find the exact logs with Advanced Hunting and below KQL code (adjust the parts you need)
let target_server = "use your full target server name here";
search in (IdentityLogonEvents,IdentityQueryEvents,IdentityDirectoryEvents,DeviceProcessEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceRegistryEvents,DeviceLogonEvents,DeviceImageLoadEvents,DeviceEvents,BehaviorEntities)
Timestamp > datetime(2025-06-04 01:09:59.9) //adjust this line with a timestamp that serves you well, GMT time. Put a timestamp a bit before the scanner started running
and (DeviceName == target_server and isnotempty(FailureReason))
or RemoteIP == "your kali IP address in your network"
| project Timestamp, DeviceName, Type, ActionType, Protocol, FailureReason, AccountName, RemoteIP, RemotePort
| take 1000
