KQL Search

Query Details

HomeAI ToolsDevice Query

Device Detect Putty Connecting Public

Query

//Detect successful internal to public connections using Putty

//Data connector required for this query - M365 Defender - Device* tables

//Microsoft Sentinel query
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where InitiatingProcessCommandLine contains "putty.exe"
| project
    TimeGenerated,
    DeviceName,
    InitiatingProcessAccountName,
    LocalIP,
    RemoteIP,
    RemoteUrl,
    RemotePort

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where InitiatingProcessCommandLine contains "putty.exe"
| project
    Timestamp,
    DeviceName,
    InitiatingProcessAccountName,
    LocalIP,
    RemoteIP,
    RemoteUrl,
    RemotePort

Explanation

This query is used to detect successful connections from internal devices to public networks using the Putty application. It retrieves data from the DeviceNetworkEvents table and filters for events where the ActionType is "ConnectionSuccess", the LocalIPType is "Private", the RemoteIPType is "Public", and the InitiatingProcessCommandLine contains "putty.exe". The query then projects the TimeGenerated, DeviceName, InitiatingProcessAccountName, LocalIP, RemoteIP, RemoteUrl, and RemotePort fields.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents,ActionType,LocalIPType,RemoteIPType,InitiatingProcessCommandLine,TimeGenerated,DeviceName,InitiatingProcessAccountName,LocalIP,RemoteIP,RemoteUrl,RemotePort,Timestamp

Operators

where|==containsproject

Actions