topic How to detect Port Scanning with Harmony Endpoint or Infinity XDR/XPR? in Endpoint

How to detect Port Scanning with Harmony Endpoint or Infinity XDR/XPR?

Eve_Z — Tue, 11 Feb 2025 12:53:12 GMT

Hello,

Have you ever tried to detect port scanning by using Harmony Endpoint? I thought this would be detected by Infinity XDR/XPR as an incident, but I see not incidents related.

I would like to detect port scanning from the machine with Harmony Endpoint that is performing the scan, for example, with a virtualized Kali Linux, AND/OR from the victim machine that also has Harmony Endpoint.

Any suggestion is appreciated.

Regards.

Re: How to detect Port Scanning with Harmony Endpoint or Infinity XDR/XPR?

PhoneBoy — Tue, 11 Feb 2025 15:39:34 GMT

At least for a gateway, this requires using a particular IPS signature and a trigger from SmartEvent to actually block based on the IP.
Not sure how this works on Endpoint, if it does at all.

Re: How to detect Port Scanning with Harmony Endpoint or Infinity XDR/XPR?

Eve_Z — Tue, 18 Feb 2025 15:30:13 GMT

I created a custom query for Threat Hunting to detect TCP connections with 0 bytes received, excluding common ports. This should detect when the source tries to open a connection to an uncommon port that is filtered (destination does not respond, so 0 bytes are received), which may indicate port scanning.

This query shows some results when scanning with Nmap from a machine with Harmony Endpoint, but when I scan from a virtualized Kali Linux from the same machine, I don't see the same results. I was expecting to see a VirtualBox process doing the same connections.