EEG Assets Allowing Remote Access

# External Attack Surface Protection - Assets allowing remote access ## Query Information ### Description This query shows all discovered external assets with open ports allowing remote access, out of all discovered external assets in Defender External Attack Surface Management and then tries to correlate the asset with a device managed by Defender for Endpoint. #### References - [Defender External Attack Surface Management - Open Ports](https://learn.microsoft.com/en-us/azure/external-attack-surface-management/understanding-dashboards#open-ports) - [External Attack Surface Management initiative in Exposure Management](https://learn.microsoft.com/en-us/security-exposure-management/external-attack-surface-management-initiative) ### Author - **Alex Verboon** ## Defender XDR ```kql ExposureGraphNodes | extend rawData = todynamic(NodeProperties).rawData | where isnotnull(rawData.openPortRanges) | extend openPortRanges = rawData.openPortRanges | where openPortRanges has_any("21","22","23") | join kind=leftouter (DeviceInfo | summarize arg_max(TimeGenerated,*) by DeviceId ) on $left. NodeName == $right. PublicIP | extend RemoteAssetName = NodeName | project RemoteAssetName, openPortRanges, DeviceName, PublicIP, OSPlatform, MachineGroup, ExposureLevel ```

Explanation

This query is designed to identify external assets that have open ports allowing remote access, specifically ports 21, 22, and 23, which are commonly used for FTP, SSH, and Telnet, respectively. It focuses on assets discovered by Microsoft's Defender External Attack Surface Management. The query then attempts to match these external assets with devices managed by Defender for Endpoint to provide additional context about the asset, such as the device name, operating system platform, and exposure level. The final output includes the name of the remote asset, the open port ranges, and relevant device information.

KQL Search

EEG Assets Allowing Remote Access

Query

Explanation

Details

Actions