KQL Search

Query Details

HomeAI ToolsDevice Query

Inbound Authentication From Public IP

Query

# Inbound Authentication From Public IP

## Query Information

#### Description
This query can be used to identify devices that are publicly disclosed to the internet by monitoring for inbound authentication attempts.

#### Risk
Devices that are publicly disclosed to the internet are more pround to exploitation.

#### References
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625

## Sentinel
```KQL
let AllowedEntpoints = pack_array('devicename');
SecurityEvent
| where EventID in ('4625', '4624')
| where Computer !in(AllowedEntpoints)
| where not(ipv4_is_private(IpAddress))
| summarize arg_min(TimeGenerated, *) by Computer
| lookup kind=leftouter (DeviceInfo
    | summarize arg_max(TimeGenerated, *) by DeviceId
    | project DeviceName = toupper(DeviceName), DeviceType, PublicIP, ExposureLevel, MachineGroup) on $left.Computer == $right.DeviceName
```

Explanation

This query is designed to identify devices that are exposed to the internet by tracking inbound authentication attempts. Here's a simple breakdown of what it does:

  1. Allowed Devices: It starts by defining a list of device names (AllowedEntpoints) that are permitted to have inbound connections.

  2. Event Filtering: It looks at security events with IDs 4624 (successful login) and 4625 (failed login) to find authentication attempts.

  3. Public Exposure Check: It filters out events from devices that are not in the allowed list and checks if the IP address is public (not a private IP).

  4. Summarization: It summarizes the data to find the earliest event for each device, which helps in identifying when a device first had an inbound authentication attempt.

  5. Device Information Lookup: It enriches the data by joining it with additional device information, such as device type, public IP, exposure level, and machine group, to provide more context about each device.

Overall, this query helps in identifying potentially vulnerable devices that are exposed to the internet and might be at risk of exploitation due to unauthorized access attempts.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

SecurityEventDeviceInfo

Keywords

DevicesSecurityEventDeviceInfoComputerDeviceNameDeviceTypePublicIPExposureLevelMachineGroupIpAddress

Operators

letpack_arrayin!innotipv4_is_privatesummarizearg_minlookupkind=leftouterarg_maxprojecttoupper==

Actions