Query Details

Hunt for public facing devices via public tag

Hunt Public Devices With Tag

Query

DeviceInfo
| where Timestamp > ago(7d)
| extend AdditionalFields = todynamic(AdditionalFields)
| where todatetime(AdditionalFields.InternetFacingLastSeen) > ago(7d)
| extend InternetFacingLastSeen = tostring(AdditionalFields.InternetFacingLastSeen)
    , InternetFacingReason = tostring(AdditionalFields.InternetFacingReason)
    , InternetFacingLocalIp = tostring(AdditionalFields.InternetFacingLocalIp)
    , InternetFacingPublicScannedIp = tostring(AdditionalFields.InternetFacingPublicScannedIp)
    , InternetFacingLocalPort = tostring(AdditionalFields.InternetFacingLocalPort)
    , InternetFacingPublicScannedPort = tostring(AdditionalFields.InternetFacingPublicScannedPort)
    , InternetFacingTransportProtocol = tostring(AdditionalFields.InternetFacingTransportProtocol)
| summarize arg_max(InternetFacingLastSeen, *) by DeviceName, InternetFacingLocalIp, InternetFacingLocalPort, InternetFacingPublicScannedIp, InternetFacingPublicScannedPort, InternetFacingTransportProtocol, InternetFacingReason
| project InternetFacingLastSeen, DeviceName, InternetFacingLocalIp, InternetFacingLocalPort, InternetFacingPublicScannedIp, InternetFacingPublicScannedPort, InternetFacingTransportProtocol, InternetFacingReason

About this query

Hunt for public facing devices via public tag

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1190Exploit Public-Facing Applicationhttps://attack.mitre.org/techniques/T1190/

Description

Find public facing devices via the public device tag in the DeviceInfo table. The internet facing reason is also included in this query.

Risk

Public facing identification is only supported for Windows operating systems with specific versions. For more details about the nuances, see the blogpost added in the references.

Author <Optional>

References

Defender XDR

Sentinel

N/A

Explanation

This query is designed to identify devices that are exposed to the internet, specifically those running Windows operating systems. It does this by looking for devices tagged as "public-facing" in the DeviceInfo table. Here's a simple breakdown of what the query does:

  1. Time Frame: It focuses on data from the last 7 days.
  2. Data Extraction: The query extracts additional fields related to internet exposure from the AdditionalFields column, which is stored in a dynamic format.
  3. Filtering: It filters out devices that have been identified as internet-facing within the last 7 days.
  4. Data Transformation: Converts various attributes related to internet exposure (like last seen time, reason, local and public IPs and ports, and transport protocol) into string format for easier handling.
  5. Aggregation: It summarizes the data to get the most recent record for each device based on the last time it was seen as internet-facing. This is done using the arg_max function.
  6. Output: Finally, it projects (or selects) relevant columns to display, including the last seen time, device name, local and public IPs and ports, transport protocol, and the reason for being internet-facing.

The query helps in identifying potential security risks by pinpointing devices that are accessible from the internet, which could be vulnerable to exploitation as per the MITRE ATT&CK technique T1190.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 26, 2025

Tables

DeviceInfo

Keywords

Devices

Operators

whereextendtodynamictodatetimeagotostringsummarizearg_maxbyproject

MITRE Techniques

Actions

GitHub