Query Details
Device Public Port22allowed
Query
//Find successful connections from a private to public network on TCP port 22
//Data connector required for this query - M365 Defender - Device* tables
//Microsoft Sentinel query
DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where RemotePort == 22
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemoteUrl
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where ActionType == "ConnectionSuccess"
| where RemotePort == 22
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| project
Timestamp,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemoteUrlExplanation
This query is searching for successful connections from a private network to a public network on TCP port 22. It uses the DeviceNetworkEvents table and filters for events that occurred within the last day, have an ActionType of "ConnectionSuccess", a RemotePort of 22, a LocalIPType of "Private", and a RemoteIPType of "Public". The query then projects the TimeGenerated (or Timestamp), DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, LocalIP, RemoteIP, and RemoteUrl fields. The query can be run in Microsoft Sentinel with the M365 Defender - Device* tables data connector or in Advanced Hunting with the Advanced Hunting license data connector.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,TimeGenerated,DeviceName,InitiatingProcessAccountName,InitiatingProcessCommandLine,LocalIP,RemoteIP,RemoteUrl,ActionType,RemotePort,LocalIPType,RemoteIPType,Timestamp
Operators
where>ago()==|project