KQL Search

Query Details

HomeAI ToolsDevice Query

Device SSH Traffic On Non Standard Port

Query

//Detect SSH traffic that isn't on port 22 connecting to public IP addresses

//Data connector required for this query - M365 Defender - Device* tables

//Microosft Sentinel query
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend AF = parse_json(AdditionalFields)
| extend NetworkSignature = AF.SignatureName
//Search for network signatures that are SSH but not on port 22
| where NetworkSignature == "SSH" and RemotePort != 22
//Exclude traffic where the remote IP is a private/local IP address, you can remove this if also interested in that traffic
| where not(ipv4_is_private(RemoteIP))
//Exclude traffic where the remote IP is a Link Local address
| where not(ipv4_is_match(RemoteIP,'169.0.0.0/8')) | project
    TimeGenerated,
    DeviceName,
    NetworkSignature,
    LocalIP,
    LocalPort,
    RemoteIP,
    RemotePort,
    RemoteUrl

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend AF = parse_json(AdditionalFields)
| extend NetworkSignature = AF.SignatureName
//Search for network signatures that are SSH but not on port 22
| where NetworkSignature == "SSH" and RemotePort != 22
//Exclude traffic where the remote IP is a private/local IP address, you can remove this if also interested in that traffic
| where not(ipv4_is_private(RemoteIP))
//Exclude traffic where the remote IP is a Link Local address
| where not(ipv4_is_match(RemoteIP,'169.0.0.0/8')) 
| project
    Timestamp,
    DeviceName,
    NetworkSignature,
    LocalIP,
    LocalPort,
    RemoteIP,
    RemotePort,
    RemoteUrl

Explanation

This query detects SSH traffic that is not on port 22 and is connecting to public IP addresses. It uses the M365 Defender - Device* tables as the data connector. The query filters the DeviceNetworkEvents table for network events with the ActionType "NetworkSignatureInspected". It then extends the AdditionalFields column to extract the NetworkSignature and filters for SSH signatures that are not on port 22. It excludes traffic where the remote IP is a private/local IP address or a Link Local address. The query projects the TimeGenerated, DeviceName, NetworkSignature, LocalIP, LocalPort, RemoteIP, RemotePort, and RemoteUrl columns. The same query can also be used with the Advanced Hunting license.

Details

Matt Zorich profile picture

Matt Zorich

Released: May 4, 2023

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents,ActionType,NetworkSignature,AF,SignatureName,RemotePort,ipv4_is_private,ipv4_is_match,TimeGenerated,DeviceName,LocalIP,LocalPort,RemoteIP,RemoteUrl,Timestamp

Operators

| where| extend| parse_json| ==| !=| not| ipv4_is_private| ipv4_is_match| project

Actions