Show all successful SMB connections of a compromised device
MDE Open SMB Connections By Compromised Device
Query
let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"About this query
Show all successful SMB connections of a compromised device
Defender XDR
let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
Sentinel
Explanation
This query is designed to identify all successful SMB (Server Message Block) connections made by a specific compromised device, named "laptop1", within the last 48 hours. It filters network events to show only those where the connection was successful (indicated by "ConnectionSuccess") and where the connection was made to port 445, which is commonly used for SMB. The query is written for two platforms, Defender XDR and Sentinel, with slight differences in the timestamp field names but otherwise performing the same function.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsTimestampNameRemotePortActionTypeTimeGenerated
Operators
letagowhere