Hunt for public facing devices via DeviceNetworkEvents
Hunt Public Devices Without Tag
Query
DeviceNetworkEvents
| where ActionType contains "InboundConnection"
| where RemoteIPType == "Public"
| distinct DeviceNameAbout this query
Hunt for public facing devices via DeviceNetworkEvents
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1190 | Exploit Public-Facing Application | https://attack.mitre.org/techniques/T1190/ |
Description
Find public facing devices via the DeviceNetworkEvents table.
Risk
When a proxy solution is in front of the public facing device, the devices will not be included in this query.
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Defender XDR
Sentinel
N/A
Explanation
This query is designed to identify devices within a network that are exposed to the public internet, which could potentially be vulnerable to exploitation. Here's a simplified breakdown of what the query does:
-
Data Source: The query uses the
DeviceNetworkEventstable, which logs network-related events for devices. -
Filter Criteria:
- It looks for events where the
ActionTypeindicates an "InboundConnection," meaning the device is receiving a connection from an external source. - It further filters these events to only include those where the
RemoteIPTypeis "Public," signifying that the connection is coming from an IP address that is accessible from the internet.
- It looks for events where the
-
Output:
- The query returns a distinct list of
DeviceNames, which are the names of devices that have received inbound connections from public IP addresses.
- The query returns a distinct list of
Risk Note: The query might not capture all public-facing devices if there is a proxy solution in place, as the proxy could mask the true source of the connections.
This query is useful for security teams to identify and monitor devices that are potentially exposed to the internet, helping them to assess and mitigate risks associated with public-facing applications.
