KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Port Scanning On Internet Facing Devices

Query

// Detecting Port Scanning on Internet-Facing Devices

// Are you aware of when your endpoints or servers are exposed to the internet? Whether intentional or accidental, it’s crucial to have the capability to detect port scans or attacks and take necessary defensive actions. I’ve developed a custom DefenderXDR detection KQL that provides this visibility for your fleet of MDE devices.
// When this custom detection is triggered, you should verify if the device firewall is enabled, check for any critical or high vulnerabilities that could be exploited, and identify the hostile country performing the scan (e.g., Russia - something might be off!). This is an enhanced version of the KQL function InboundExternalNetworkEvents(X), where X is the DeviceID.

let InternetFacingDevice=
DeviceInfo
| where Timestamp > ago(1h)
| where IsInternetFacing
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceId;
DeviceNetworkEvents
| where DeviceId has_any(InternetFacingDevice)
| where ActionType == @"InboundConnectionAttempt"
| where not(ipv4_is_private(RemoteIP))
| extend IPLocation = geo_info_from_ip_address(RemoteIP)
| summarize Connections=count() by RemoteIP, tostring(IPLocation.country)
| sort by Connections desc
| where Connections >= 3

// MITRE ATT&CK
// T1049: System Network Connections Discovery

Explanation

This KQL query is designed to detect port scanning activities on devices that are exposed to the internet. Here's a simplified breakdown of what the query does:

  1. Identify Internet-Facing Devices:

    • It first checks the DeviceInfo table for devices that have been marked as "internet-facing" within the last hour.
    • It then selects the most recent entry for each device to get a list of unique DeviceIds.

  2. Monitor Network Events:

    • It looks at the DeviceNetworkEvents table for any inbound connection attempts to these identified internet-facing devices.
    • It filters out connections from private IP addresses, focusing only on those from public IPs.

  3. Analyze and Summarize Connections:

    • For each connection, it retrieves the geographical location of the remote IP address.
    • It counts the number of connection attempts from each remote IP and sorts them in descending order based on the number of attempts.
    • It highlights IPs that have made three or more connection attempts, which could indicate a potential port scan.

  4. Additional Context:

    • The query suggests verifying the device's firewall status, checking for vulnerabilities, and identifying the country of origin for the scan, especially if it's from a potentially hostile nation.
    • It references the MITRE ATT&CK framework, specifically technique T1049, which relates to discovering system network connections.

Overall, this query helps in identifying suspicious network activities that could indicate a port scan on devices exposed to the internet, allowing for timely defensive actions.

Details

Steven Lim profile picture

Steven Lim

Released: October 16, 2024

Tables

DeviceInfoDeviceNetworkEvents

Keywords

DevicesNetworkConnectionsCountryRemoteIPTimestampDeviceId

Operators

let|where>ago()summarizearg_max()byprojecthas_any()==@not()ipv4_is_private()extendgeo_info_from_ip_address()tostring()sortdesc>=

Actions