Query Details
EASM Open Ports
Query
# Defender External Attack Surface Management - Open Ports ## Query Information ### Description Use the below queries to retrieve information about systems with Open Ports from Defender External Attack Surface Management #### References ### Microsoft Sentinel List all assets with Open ports ```kql EasmIpAddressAsset_CL | summarize arg_max(TimeGenerated,*) by IPAddress | mv-expand parse_json(Ports_s) | extend Components = parse_json(WebComponents_s) | extend LastPortState = tostring(Ports_s.LastPortState) | extend Port_ = tostring(Ports_s.Port) | extend PortStateFirstSeen = tostring(Ports_s.PortStateFirstSeen) | extend PortStateLastSeen = tostring(Ports_s.PortStateLastSeen) | project TimeGenerated, IPAddress, Port_, LastPortState,PortStateLastSeen , PortStateFirstSeen, Components | where LastPortState == 'OPEN' ``` Telnet Service Exposure ```kql EasmRisk_CL | where CategoryName_s == "High Severity" | where MetricDisplayName_s == "ASI: Telnet Service Exposure" ```
Explanation
The first query retrieves information about systems with open ports from Defender External Attack Surface Management. It lists all assets with open ports and includes details such as the IP address, port number, last port state, and component information. It filters the results to only show systems where the last port state is "OPEN".
The second query specifically focuses on identifying systems with a high severity risk related to Telnet service exposure.
Details
Alex Verboon
Released: June 4, 2023
Tables
EasmIpAddressAsset_CLEasmRisk_CL
Keywords
Devices,Intune,User
Operators
summarizearg_maxmv-expandparse_jsonextendtostringprojectwhere