Defender External Attack Surface Management - Open Ports
EASM Open Ports
Query
EasmIpAddressAsset_CL
| summarize arg_max(TimeGenerated,*) by IPAddress
| mv-expand parse_json(Ports_s)
| extend Components = parse_json(WebComponents_s)
| extend LastPortState = tostring(Ports_s.LastPortState)
| extend Port_ = tostring(Ports_s.Port)
| extend PortStateFirstSeen = tostring(Ports_s.PortStateFirstSeen)
| extend PortStateLastSeen = tostring(Ports_s.PortStateLastSeen)
| project TimeGenerated, IPAddress, Port_, LastPortState,PortStateLastSeen , PortStateFirstSeen, Components
| where LastPortState == 'OPEN'About this query
Explanation
This KQL query is designed to help you identify and manage systems with open ports, specifically focusing on Telnet service exposure, using Microsoft Defender External Attack Surface Management data. Here's a simplified breakdown:
-
Open Ports Identification:
- The first part of the query retrieves a list of assets (systems) with open ports.
- It summarizes the most recent data for each IP address and expands the list of ports.
- It extracts details about each port, such as its state (open or closed) and the times when this state was first and last observed.
- The query filters to show only ports that are currently open.
-
Telnet Service Exposure:
- The second part of the query focuses on identifying high-severity risks related to Telnet service exposure.
- It filters the data to show only those assets that have been flagged for Telnet service exposure and have been seen in the last 7 days.
- It excludes any IP addresses that are on a predefined whitelist for Telnet service exposure.
-
Watchlist Creation:
- The query suggests creating a watchlist to keep track of IP addresses with Telnet service exposure.
- This watchlist includes attributes like IP address, description, tag, and risk level.
Overall, this query helps security teams monitor and manage potential vulnerabilities related to open ports and Telnet services, ensuring that high-risk exposures are identified and addressed promptly.
Details

Alex Verboon
Released: April 16, 2026
Tables
EasmIpAddressAsset_CLEasmRisk_CL
Keywords
DefenderExternalAttackSurfaceManagementPortsSystemsAssetsTelnetServiceExposureMicrosoftSentinel
Operators
summarizearg_maxbymv-expandparse_jsonextendtostringprojectwhereletinago