Query Details
Devices Summarize Inbound Traffic
Query
//Summary of inbound traffic, will find the total count, distcount count of devices and the list of inbound devices per port
//Microsoft Sentinel query
DeviceNetworkEvents
| where TimeGenerated > ago (30d)
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in ("22","80","139","443","445","3389","8080")
| summarize ['Total Count']=count(), ['Distinct Count of Inbound Devices']=dcount(RemoteIP), ['List of Inbound Devices']=make_set(RemoteIP) by DeviceName, LocalPort
| sort by DeviceName asc, LocalPort asc
//Advanced Hunting query
//Summary of inbound traffic, will find the total count, distcount count of devices and the list of inbound devices per port
DeviceNetworkEvents
| where Timestamp > ago (30d)
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in ("22","80","139","443","445","3389","8080")
| summarize ['Total Count']=count(), ['Distinct Count of Inbound Devices']=dcount(RemoteIP), ['List of Inbound Devices']=make_set(RemoteIP) by DeviceName, LocalPort
| sort by DeviceName asc, LocalPort asc Explanation
This query summarizes inbound traffic by finding the total count, distinct count of devices, and the list of inbound devices per port. It filters the data for the past 30 days and includes only events where the action type is "InboundConnectionAccepted" and the local port is one of the specified values (22, 80, 139, 443, 445, 3389, 8080). The results are then grouped by device name and local port, and sorted in ascending order.
Details
Matt Zorich
Released: November 2, 2022
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,TimeGenerated,ActionType,InboundConnectionAccepted,LocalPort,TotalCount,DistinctCountofInboundDevices,ListofInboundDevices,DeviceName,RemoteIP,Timestamp,make_set,sortby
Operators
whereago==insummarizecount()dcount()make_set()bysort by