Detect External Sources Scanning My Exposed Devices

**Detect External Sources scanning my exposed devices.md** **Description:** Detecting ExternalSource IP's that are scanning my exposed devices which helps me to identify if some IP's is triggering scans multiple times or in multiple devices. ``` DeviceNetworkEvents // Filter on devices that have been scanned | where ActionType == "InboundInternetScanInspected" | project IP_Source_ScannerAttempt=LocalIP,Country_Source_ScannerAttempt=tostring(geo_info_from_ip_address(LocalIP).country), PublicScannedIP= RemoteIP,PublicScannedIP_country=tostring(geo_info_from_ip_address(RemoteIP).country), PublicScannedPort= RemotePort,DeviceName ```

Explanation

This KQL (Kusto Query Language) query is designed to detect external IP addresses that are scanning your exposed devices. Here's a simple summary of what the query does:

Source Table: It starts by looking at the DeviceNetworkEvents table, which contains network event data for your devices.
Filter: It filters the events to only include those where the action type is "InboundInternetScanInspected". This means it focuses on events where an external source has scanned your device.
Projection: It then selects and renames specific columns to make the data more understandable:
- IP_Source_ScannerAttempt: The local IP address of the device that detected the scan.
- Country_Source_ScannerAttempt: The country associated with the local IP address.
- PublicScannedIP: The remote IP address that was scanned.
- PublicScannedIP_country: The country associated with the remote IP address.
- PublicScannedPort: The port on the remote IP address that was scanned.
- DeviceName: The name of the device that detected the scan.

In essence, this query helps you identify and understand which external IP addresses are scanning your devices, including details about the countries involved and the specific ports being targeted.

KQL Search

Detect External Sources Scanning My Exposed Devices

Query

Explanation

Details

Actions