Query Details
MDE Open SMB Connections By Compromised Device
Query
# Show all successful SMB connections of a compromised device ---- ### Defender For Endpoint ``` let CompromisedDevice = "laptop1"; let SearchWindow = 48h; //Customizable h = hours, d = days DeviceNetworkEvents | where Timestamp > ago(SearchWindow) | where DeviceName == CompromisedDevice | where RemotePort == 445 | where ActionType == "ConnectionSuccess" ``` ### Sentinel ``` let CompromisedDevice = "laptop1"; let SearchWindow = 48h; //Customizable h = hours, d = days DeviceNetworkEvents | where TimeGenerated > ago(SearchWindow) | where DeviceName == CompromisedDevice | where RemotePort == 445 | where ActionType == "ConnectionSuccess" ```
Explanation
The query shows all successful SMB (Server Message Block) connections made by a compromised device named "laptop1" within a specified time window (48 hours). It filters the network events data to only include events where the device name matches "laptop1", the remote port is 445 (the default port for SMB), and the action type is "ConnectionSuccess".
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,Timestamp,ago,DeviceName,RemotePort,ActionType,TimeGenerated,ConnectionSuccess
Operators
whereagolet