KQL Search

Query Details

HomeAI ToolsDevice Query

Hunt Public Devices With Tag

Query

# *Hunt for public facing devices via public tag*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1190 | Exploit Public-Facing Application | https://attack.mitre.org/techniques/T1190/ |

#### Description
Find public facing devices via the public device tag in the DeviceInfo table. The internet facing reason is also included in this query.

#### Risk
Public facing identification is only supported for Windows operating systems with specific versions. For more details about the nuances, see the blogpost added in the references. 

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://hybridbrothers.com/analyzing-mde-network-inspections/

## Defender XDR
```KQL
DeviceInfo
| where Timestamp > ago(7d)
| extend AdditionalFields = todynamic(AdditionalFields)
| where todatetime(AdditionalFields.InternetFacingLastSeen) > ago(7d)
| extend InternetFacingLastSeen = tostring(AdditionalFields.InternetFacingLastSeen)
    , InternetFacingReason = tostring(AdditionalFields.InternetFacingReason)
    , InternetFacingLocalIp = tostring(AdditionalFields.InternetFacingLocalIp)
    , InternetFacingPublicScannedIp = tostring(AdditionalFields.InternetFacingPublicScannedIp)
    , InternetFacingLocalPort = tostring(AdditionalFields.InternetFacingLocalPort)
    , InternetFacingPublicScannedPort = tostring(AdditionalFields.InternetFacingPublicScannedPort)
    , InternetFacingTransportProtocol = tostring(AdditionalFields.InternetFacingTransportProtocol)
| summarize arg_max(InternetFacingLastSeen, *) by DeviceName, InternetFacingLocalIp, InternetFacingLocalPort, InternetFacingPublicScannedIp, InternetFacingPublicScannedPort, InternetFacingTransportProtocol, InternetFacingReason
| project InternetFacingLastSeen, DeviceName, InternetFacingLocalIp, InternetFacingLocalPort, InternetFacingPublicScannedIp, InternetFacingPublicScannedPort, InternetFacingTransportProtocol, InternetFacingReason
```

## Sentinel
```KQL
N/A
```

Explanation

This query is designed to identify devices that are exposed to the internet, specifically those running Windows operating systems. It does this by looking for devices tagged as "public-facing" in the DeviceInfo table. Here's a simple breakdown of what the query does:

  1. Time Frame: It focuses on data from the last 7 days.
  2. Data Extraction: The query extracts additional fields related to internet exposure from the AdditionalFields column, which is stored in a dynamic format.
  3. Filtering: It filters out devices that have been identified as internet-facing within the last 7 days.
  4. Data Transformation: Converts various attributes related to internet exposure (like last seen time, reason, local and public IPs and ports, and transport protocol) into string format for easier handling.
  5. Aggregation: It summarizes the data to get the most recent record for each device based on the last time it was seen as internet-facing. This is done using the arg_max function.
  6. Output: Finally, it projects (or selects) relevant columns to display, including the last seen time, device name, local and public IPs and ports, transport protocol, and the reason for being internet-facing.

The query helps in identifying potential security risks by pinpointing devices that are accessible from the internet, which could be vulnerable to exploitation as per the MITRE ATT&CK technique T1190.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 26, 2025

Tables

DeviceInfo

Keywords

Devices

Operators

whereextendtodynamictodatetimeagotostringsummarizearg_maxbyproject

Actions