Query Details
Devices No SMB
Query
//Find devices that have had no inbound SMB connections in the last 30 days to help build firewall policy
//Microsoft Sentinel query
let devices=
DeviceNetworkEvents
| where TimeGenerated > ago (30d)
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in ("139","445")
| distinct DeviceId;
DeviceInfo
| where TimeGenerated > ago (30d)
| distinct DeviceId, DeviceName
| where DeviceId !in (devices)
//Advanced Hunting query
let devices=
DeviceNetworkEvents
| where Timestamp > ago (30d)
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in ("139","445")
| distinct DeviceId;
DeviceInfo
| where Timestamp > ago (30d)
| distinct DeviceId, DeviceName
| where DeviceId !in (devices)Explanation
This query is looking for devices that have not had any inbound SMB connections in the last 30 days. It is used to help build a firewall policy. The query first identifies devices that have had inbound SMB connections in the last 30 days and stores them in a variable called "devices". Then it retrieves device information for devices that have been active in the last 30 days but are not included in the "devices" variable.
Details
Matt Zorich
Released: November 2, 2022
Tables
DeviceNetworkEventsDeviceInfo
Keywords
Devices,Intune,User
Operators
agowhere==indistinct!in