Query Details

(Public) Inbound connections to a compromised device

MDE Inbound Connections Compromised Device

Query

// Add the device you are investigating in the CompromisedDevice variable
let CompromisedDevice = "test.domain.tld";
let SearchWindow = 10d; //Customizable h = hours, d = days
let SearchWindow = 10d; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
// Only list accepted inbound connections
| where ActionType == "InboundConnectionAccepted"
// Remove comment below if you only want to see inbound connections from public IP addresses.
//| where RemoteIPType == "Public"
// Enrich IP information
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project Timestamp, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, country, state

About this query

Explanation

This query is designed to help you identify and analyze inbound network connections to a specific device that is suspected of being compromised. Here's a simple breakdown of what the query does:

  1. Device Selection: You specify the device you're investigating by setting its name in the CompromisedDevice variable.

  2. Time Frame: The query looks at network events within a customizable time window, which is set to 10 days by default.

  3. Data Source: It examines the DeviceNetworkEvents table to find relevant network activity.

  4. Filter Criteria:

    • It filters for events where the connection was accepted (i.e., ActionType is "InboundConnectionAccepted").
    • Optionally, you can uncomment a line to filter only for connections from public IP addresses.
  5. IP Enrichment: The query enriches the data by retrieving geographical information about the remote IP addresses involved in the connections, such as country, state, city, latitude, and longitude.

  6. Output: The final output includes details like the timestamp of the connection, device name, remote and local IP addresses and ports, and geographical information about the remote IP.

This query helps you quickly understand which external entities are connecting to a potentially compromised device, providing insights into possible unauthorized access or malicious activity.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsTimestampNameActionTypeRemoteIPPortLocalGeoInfoCountryStateCityLatitudeLongitude

Operators

letago()whereextendgeo_info_from_ip_address()tostring()parse_json()project

Actions

GitHub