KQL Search

Query Details

HomeAI ToolsDevice Query

Devices No SSH

Query

//Find devices that have had no inbound SSH connections in the last 30 days to help build firewall policy

//Microsoft Sentinel query

let devices=
DeviceNetworkEvents
| where TimeGenerated > ago (30d)
| where ActionType == "InboundConnectionAccepted"
| where LocalPort == 22
| distinct DeviceId;
DeviceInfo
| where TimeGenerated > ago (30d)
| distinct DeviceId, DeviceName
| where DeviceId !in (devices)


//Advanced Hunting query

let devices=
DeviceNetworkEvents
| where Timestamp > ago (30d)
| where ActionType == "InboundConnectionAccepted"
| where LocalPort == 22
| distinct DeviceId;
DeviceInfo
| where Timestamp > ago (30d)
| distinct DeviceId, DeviceName
| where DeviceId !in (devices)

Explanation

The query is looking for devices that have not had any inbound SSH connections in the last 30 days. It uses the DeviceNetworkEvents table to filter for events where the ActionType is "InboundConnectionAccepted" and the LocalPort is 22 (SSH). It then retrieves the distinct DeviceId values from these events.

Next, it uses the DeviceInfo table to retrieve the DeviceId and DeviceName values for devices that have had events in the last 30 days. It filters out devices whose DeviceId is not in the list of devices with inbound SSH connections.

In simple terms, the query is finding devices that have not had any SSH connections in the last 30 days, which can be useful for building a firewall policy.

Details

Matt Zorich profile picture

Matt Zorich

Released: November 2, 2022

Tables

DeviceNetworkEventsDeviceInfo

Keywords

Devices,Intune,User

Operators

letwhereagodistinctDeviceNetworkEventsDeviceInfo==in

Actions