(Public) Inbound connections to a compromised device
MDE Inbound Connections Compromised Device
Query
// Add the device you are investigating in the CompromisedDevice variable
let CompromisedDevice = "test.domain.tld";
let SearchWindow = 10d; //Customizable h = hours, d = days
let SearchWindow = 10d; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
// Only list accepted inbound connections
| where ActionType == "InboundConnectionAccepted"
// Remove comment below if you only want to see inbound connections from public IP addresses.
//| where RemoteIPType == "Public"
// Enrich IP information
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project Timestamp, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, country, stateAbout this query
Explanation
This query is designed to help you identify and analyze inbound network connections to a specific device that is suspected of being compromised. Here's a simple breakdown of what the query does:
-
Device Selection: You specify the device you're investigating by setting its name in the
CompromisedDevicevariable. -
Time Frame: The query looks at network events within a customizable time window, which is set to 10 days by default.
-
Data Source: It examines the
DeviceNetworkEventstable to find relevant network activity. -
Filter Criteria:
- It filters for events where the connection was accepted (i.e.,
ActionTypeis "InboundConnectionAccepted"). - Optionally, you can uncomment a line to filter only for connections from public IP addresses.
- It filters for events where the connection was accepted (i.e.,
-
IP Enrichment: The query enriches the data by retrieving geographical information about the remote IP addresses involved in the connections, such as country, state, city, latitude, and longitude.
-
Output: The final output includes details like the timestamp of the connection, device name, remote and local IP addresses and ports, and geographical information about the remote IP.
This query helps you quickly understand which external entities are connecting to a potentially compromised device, providing insights into possible unauthorized access or malicious activity.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators