KQL Search

Query Details

HomeAI ToolsDevice Query

External Attack Surface Monitoring KQL

Query

// External Attack Surface Monitoring (EASM) KQL
// "The one KQL query that unveils the entire external surface of your MDE device fleet"

let InternetFacingDevices =
   ExposureGraphNodes
   | where NodeLabel == 'device' or (Categories has 'virtual_machine' and set_has_element(Categories, 'virtual_machine'))
   | where NodeProperties.rawData.isInternetFacing == true
   | distinct NodeName;
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ListeningConnectionCreated"
| where DeviceName has_any(InternetFacingDevices)
| where LocalIP != @"127.0.0.1"
| summarize ListeningPortExposed=dcount(LocalPort) by DeviceName
| sort by ListeningPortExposed desc

Explanation

This KQL query is designed to identify and analyze devices in your Microsoft Defender for Endpoint (MDE) fleet that are exposed to the internet. Here's a simplified breakdown of what the query does:

  1. Identify Internet-Facing Devices:

    • It starts by looking at a dataset called ExposureGraphNodes to find devices that are either labeled as 'device' or categorized as 'virtual_machine'.
    • It filters these devices to only include those that are marked as being exposed to the internet (isInternetFacing == true).
    • It creates a list of distinct device names that meet these criteria, calling this list InternetFacingDevices.

  2. Analyze Network Events:

    • The query then examines DeviceNetworkEvents from the past 30 days.
    • It focuses on events where a "ListeningConnectionCreated" action occurred, meaning the device opened a port to listen for incoming connections.
    • It filters these events to only include those from devices identified as internet-facing (DeviceName has_any(InternetFacingDevices)).
    • It excludes connections to the local loopback IP address (127.0.0.1), which is not relevant for external exposure.

  3. Summarize and Sort Results:

    • The query counts the number of distinct listening ports exposed on each internet-facing device (ListeningPortExposed).
    • Finally, it sorts the devices in descending order based on the number of exposed listening ports, highlighting those with the most exposure.

In summary, this query helps you understand which devices in your network are exposed to the internet and how many ports they have open for listening, which is crucial for assessing potential security risks.

Details

Steven Lim profile picture

Steven Lim

Released: June 18, 2025

Tables

ExposureGraphNodesDeviceNetworkEvents

Keywords

Devices

Operators

let|whereorhasset_has_element======has_any!=distinct>agosummarizedcountbysortdesc

Actions