Query Details
Device Detect Potential Network Recon
Query
//Detect when the same device attempts to connect to multiple devices and is denied within a short time frame
//This example will alert when the same device attempts to connect to three or more different devices in 30 minutes
//Data connector required for this query - M365 Defender - Device* tables
//Microsoft Sentinel query
DeviceEvents
| where ActionType == "FirewallInboundConnectionBlocked"
| summarize
['Count of Devices']=dcount(DeviceName),
['List of Devices']=make_set(DeviceName)
by RemoteIP, bin(TimeGenerated, 30m)
| where ['Count of Devices'] >= 3
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
DeviceEvents
| where ActionType == "FirewallInboundConnectionBlocked"
| summarize
['Count of Devices']=dcount(DeviceName),
['List of Devices']=make_set(DeviceName)
by RemoteIP, bin(Timestamp, 30m)
| where ['Count of Devices'] >= 3Explanation
This query detects when the same device tries to connect to multiple devices and is denied within a short period of time. It alerts when the same device attempts to connect to three or more different devices within a 30-minute timeframe. The query uses the DeviceEvents table and filters for FirewallInboundConnectionBlocked actions. It then summarizes the count of unique devices and creates a list of the device names for each RemoteIP and time bin. Finally, it filters for cases where the count of devices is greater than or equal to three.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,FirewallInboundConnectionBlocked,CountofDevices,ListofDevices,RemoteIP,TimeGenerated,bin,AdvancedHunting,DeviceName,Timestamp
Operators
wheresummarizedcountmake_setbybin