KQL Search

Query Details

HomeAI ToolsDevice Query

LM Internal Threat Hunting Over Routers Devices

Query

**[LM] - Internal Threat Hunting over Routers Devices**

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    |
| ---  | --- |
| T1018 | Remote System Discovery  |

| Author | Sergio Albea (30/10/2025)   |
| ---  | --- |

**Description:** The query below correlates device inventory, IP assignment and network events to identify internal endpoints attempting to connect to routers — including whether they succeeded and via Web or Application access. Attack traffic often aligns with failed HTTP/HTTPS attempts or unknown device names.

```
//Author Sergio Albea 30-10-2025
DeviceInfo
| where DeviceSubtype has "Router" 
| join kind=inner (DeviceNetworkInfo | where isnotempty(IPAddresses)) on $left.DeviceName == $right.DeviceName
| extend d = todynamic(IPAddresses)                          // works for string or dynamic
| extend IP = tostring(iif(array_length(d) > 0, d[0].IPAddress, ""))
| join kind=inner (DeviceNetworkEvents | where isnotempty(RemoteIP) and isnotempty(RemoteUrl)) on $left.IP == $right.RemoteIP
| where RemoteUrl contains "IP"  and isnotempty(Vendor)
// If there are devices identified as valid to connect/manage your routers, you can exclude them using the next condition
// where DeviceName2 !in ("Device1","Device2")
| extend Access_Type = case(RemoteUrl startswith "http", "🌎 Web","⚙️ Application")
| extend Connection_Result = case(ActionType has "ConnectionSuccess", "✅ ConnectionSuccess","❌ ConnectionFailed")
| summarize make_set(OSPlatform),make_set(InitiatingProcessFileName), Total_connections=count() by  Vendor,Connection_From=DeviceName2,LocalIP,Access_Type,Connection_To=RemoteUrl, RemoteIP,DeviceSubtype=strcat("🛜 ",DeviceSubtype), Connection_Result```

Explanation

The query is designed to identify internal devices attempting to connect to routers within a network. It does this by correlating data from device inventories, IP assignments, and network events. Here's a simplified breakdown of what the query does:

  1. Filter for Routers: It starts by selecting devices that are identified as routers.

  2. Join with Network Info: It then joins this data with network information to find routers that have IP addresses assigned.

  3. Extract IP Addresses: The query extracts the IP addresses from the network information.

  4. Join with Network Events: It further joins this data with network event logs to find events where these IP addresses were the target of a connection attempt.

  5. Filter for Relevant Events: The query filters these events to include only those with a remote URL containing "IP" and where the vendor information is available.

  6. Determine Access Type: It categorizes the type of access as either "Web" or "Application" based on the URL.

  7. Determine Connection Result: It checks if the connection attempts were successful or failed.

  8. Summarize Results: Finally, it summarizes the data by listing the operating systems, initiating processes, total connection attempts, and other details like vendor, source device, local IP, access type, target URL, remote IP, device subtype, and connection result.

This query helps in identifying potentially suspicious activities, such as unauthorized devices trying to connect to routers, which could indicate internal threats.

Details

Sergio Albea profile picture

Sergio Albea

Released: November 9, 2025

Tables

DeviceInfoDeviceNetworkInfoDeviceNetworkEvents

Keywords

Devices

Operators

hasjoinonextendtodynamictostringiifarray_lengthwhereisnotemptycontainsstartswithcasesummarizemake_setcountstrcat

Actions