Query Details
Devices No HTTP
Query
//Find devices that have had no inbound web connections in the last 30 days to help build firewall policy
//Microsoft Sentinel query
let devices=
DeviceNetworkEvents
| where TimeGenerated > ago (30d)
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in ("80","443","8080")
| distinct DeviceId;
DeviceInfo
| where TimeGenerated > ago (30d)
| distinct DeviceId, DeviceName
| where DeviceId !in (devices)
//Advanced Hunting query
let devices=
DeviceNetworkEvents
| where Timestamp > ago (30d)
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in ("80","443","8080")
| distinct DeviceId;
DeviceInfo
| where Timestamp > ago (30d)
| distinct DeviceId, DeviceName
| where DeviceId !in (devices)Explanation
The query is looking for devices that have not had any inbound web connections in the last 30 days. It is filtering the DeviceNetworkEvents data for events where the ActionType is "InboundConnectionAccepted" and the LocalPort is either "80", "443", or "8080". It then retrieves the distinct DeviceId values from these events.
The query also retrieves DeviceInfo data for devices that have had events in the last 30 days, and retrieves the distinct DeviceId and DeviceName values from this data. It then filters out devices whose DeviceId is not in the list of devices with inbound web connections.
Details
Matt Zorich
Released: November 2, 2022
Tables
DeviceNetworkEventsDeviceInfo
Keywords
Devices,Intune,User
Operators
agowhere==indistinct!in