Query Details
Device Summarize SSH Port Opened Inbound
Query
//Find any devices enrolled into Defender that have created an inbound listening connection on port 22 and retrieve the process command line that opened the connection
//Data connector required for this query - M365 Defender - Device* tables
//Microsoft Sentinel query
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where ActionType == "ListeningConnectionCreated"
| where LocalPort == 22
| summarize
['Total count of listening connections opened']=count(),
['List of processes creating listening connections']=make_set(InitiatingProcessCommandLine)
by DeviceName
| sort by ['Total count of listening connections opened'] desc
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType == "ListeningConnectionCreated"
| where LocalPort == 22
| summarize
['Total count of listening connections opened']=count(),
['List of processes creating listening connections']=make_set(InitiatingProcessCommandLine)
by DeviceName
| sort by ['Total count of listening connections opened'] desc
Explanation
This query is used to find devices enrolled in Defender that have created an inbound listening connection on port 22. It retrieves the process command line that opened the connection. The query looks at the DeviceNetworkEvents table and filters for events where the ActionType is "ListeningConnectionCreated" and the LocalPort is 22. It then summarizes the results by counting the total number of listening connections opened and creating a list of the processes that created the connections. The results are sorted in descending order based on the total count of listening connections opened.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
Devices,Defender,Inbound,ListeningConnection,Port22,ProcessCommandLine
Operators
|where>ago==summarizecountmake_setbysort