Defender XDR Exposure Management For Hashtag Regre SS Hion

// DefenderXDR Exposure Management for hashtag#RegreSSHion // https://www.linkedin.com/posts/activity-7214788756237639680-rGkW/ //Use below KQL to determine your internet facing VM with OpenSSH and prioritize the following: // - Access Control // - Host-based Intrusion Prevention (E.g fail2ban) // - SSH Configuration Hardening // (E.g LoginGraceTime/MaxStartups/PerSourceMaxStartups) // Refer to Splunk Mitigation Strategies for CVE-2024-6387 // Link: https://lnkd.in/gFPsbcaW let InternetFacingVM= ExposureGraphNodes | where NodeLabel == 'device' or (Categories has 'virtual_machine' and set_has_element(Categories, 'virtual_machine')) | where NodeProperties.rawData.isInternetFacing == true | extend InternetFacingDeviceName=tostring(NodeProperties.rawData.deviceName) | project InternetFacingDeviceName; DeviceTvmSoftwareInventory | where SoftwareName contains "openssh" | where DeviceName has_any(InternetFacingVM)

Explanation

This KQL query is designed to identify internet-facing virtual machines (VMs) that have OpenSSH installed. The goal is to prioritize security measures such as access control, host-based intrusion prevention, and SSH configuration hardening for these VMs. Here's a simplified breakdown:

Identify Internet-Facing VMs:
- The query first looks at nodes labeled as 'device' or categorized as 'virtual_machine'.
- It filters these nodes to find those that are internet-facing.
- It extracts and lists the names of these internet-facing devices.
Find VMs with OpenSSH:
- The query then checks the software inventory of devices to find those with OpenSSH installed.
- It cross-references these devices with the list of internet-facing VMs.

The result is a list of internet-facing VMs that have OpenSSH installed, which should be prioritized for security enhancements.

KQL Search

Defender XDR Exposure Management For Hashtag Regre SS Hion

Query

Explanation

Details

Actions