I created a custom query for Threat Hunting to detect TCP connections with 0 bytes received, excluding common ports. This should detect when the source tries to open a connection to an uncommon port that is filtered (destination does not respond, so 0 bytes are received), which may indicate port scanning.
This query shows some results when scanning with Nmap from a machine with Harmony Endpoint, but when I scan from a virtualized Kali Linux from the same machine, I don't see the same results. I was expecting to see a VirtualBox process doing the same connections.