KQL Search

Query Details

HomeAI ToolsDevice Query

External Device Logon Detection

Query

//This query analyzes external device logon attempts based on ASN data
//Helps identify potentially exposed internet-facing workstations
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
let daterange = ago(7d);
let ExternalLogonAttempts = DeviceLogonEvents
| where Timestamp >= daterange
| where RemoteIPType != "Loopback"
| summarize count() by RemoteIP
//Its possible to filter out based on the CIDRASN name if you decided to match the data.
//Generally its best to filter out the Orgs ISP Provider 
//| evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=false)
//| where CIDRASNName !startswith ""
| distinct RemoteIP;
DeviceLogonEvents
| where Timestamp >= daterange
| where RemoteIP in(ExternalLogonAttempts)
| extend Remote_GeoLocation = geo_info_from_ip_address(RemoteIP)
| evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=false)
| project-reorder Timestamp, DeviceId, DeviceName, LogonType, AccountDomain, AccountName, Protocol, FailureReason, RemoteIP, RemotePort, CIDRASNName, Remote_GeoLocation
| sort by Timestamp

Explanation

This KQL query is designed to analyze logon attempts from external devices to identify potentially exposed internet-facing workstations. Here's a simplified breakdown of what the query does:

  1. Load ASN Data: It starts by loading a dataset containing CIDR (IP range) and ASN (Autonomous System Number) information from an external CSV file. This data helps in identifying the organization or network associated with an IP address.

  2. Define Date Range: It sets a date range to the last 7 days to focus on recent logon attempts.

  3. Identify External Logon Attempts: The query filters DeviceLogonEvents to find logon attempts from external IP addresses (excluding loopback addresses). It summarizes these attempts by counting occurrences for each unique external IP address.

  4. Filter and Enrich Data: The query then filters the logon events to include only those from the identified external IPs. It enriches this data by adding geographical information based on the IP address and matches it with the ASN data to identify the network or organization associated with the IP.

  5. Project and Sort Results: Finally, it organizes the results by selecting relevant columns such as timestamp, device details, logon type, account information, protocol, failure reason, remote IP, ASN name, and geographical location. The results are sorted by timestamp for easier analysis.

Overall, this query helps in identifying and analyzing external logon attempts to detect potentially vulnerable workstations that are exposed to the internet.

Details

Bonk82 profile picture

Bonk82

Released: November 10, 2024

Tables

DeviceLogonEvents

Keywords

DeviceLogonEvents

Operators

letexternaldatawithagowheresummarizebydistinctinextendgeo_info_from_ip_addressevaluateipv4_lookupproject-reordersort

Actions