KQL Search

Query Details

HomeAI ToolsDevice Query

Hunt Public Devices Without Tag

Query

# *Hunt for public facing devices via DeviceNetworkEvents*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1190 | Exploit Public-Facing Application | https://attack.mitre.org/techniques/T1190/ |

#### Description
Find public facing devices via the DeviceNetworkEvents table.

#### Risk
When a proxy solution is in front of the public facing device, the devices will not be included in this query.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://hybridbrothers.com/analyzing-mde-network-inspections/

## Defender XDR
```KQL
DeviceNetworkEvents
| where ActionType contains "InboundConnection"
| where RemoteIPType == "Public"
| distinct DeviceName
```

## Sentinel
```KQL
N/A
```

Explanation

This query is designed to identify devices within a network that are exposed to the public internet, which could potentially be vulnerable to exploitation. Here's a simplified breakdown of what the query does:

  1. Data Source: The query uses the DeviceNetworkEvents table, which logs network-related events for devices.

  2. Filter Criteria:

    • It looks for events where the ActionType indicates an "InboundConnection," meaning the device is receiving a connection from an external source.
    • It further filters these events to only include those where the RemoteIPType is "Public," signifying that the connection is coming from an IP address that is accessible from the internet.

  3. Output:

    • The query returns a distinct list of DeviceNames, which are the names of devices that have received inbound connections from public IP addresses.

Risk Note: The query might not capture all public-facing devices if there is a proxy solution in place, as the proxy could mask the true source of the connections.

This query is useful for security teams to identify and monitor devices that are potentially exposed to the internet, helping them to assess and mitigate risks associated with public-facing applications.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 26, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

DeviceNetworkEvents|wherecontains==distinct

Actions