KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Internet Facing

Query

# Defender for Endpoint - internet-facing devices

## Query Information

### Description

Use the below queries to gather inforamtion about internet facing devcies

#### References

- [Discovering internet-facing devices using Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/discovering-internet-facing-devices-using-microsoft-defender-for/ba-p/3778975)

### Microsoft 365 Defender

```kql
// query source: Microsoft
DeviceInfo 
| where Timestamp > ago(7d) 
| where IsInternetFacing 
| extend InternetFacingInfo = AdditionalFields 
| extend InternetFacingReason = extractjson("$.InternetFacingReason", InternetFacingInfo, typeof(string)), InternetFacingLocalPort = extractjson("$.InternetFacingLocalPort", InternetFacingInfo, typeof(int)), InternetFacingScannedPublicPort = extractjson("$.InternetFacingScannedPublicPort", InternetFacingInfo, typeof(int)), InternetFacingScannedPublicIp = extractjson("$.InternetFacingScannedPublicIp", InternetFacingInfo, typeof(string)), InternetFacingLocalIp = extractjson("$.InternetFacingLocalIp", InternetFacingInfo, typeof(string)), InternetFacingTransportProtocol=extractjson("$.InternetFacingTransportProtocol", InternetFacingInfo, typeof(string)), InternetFacingLastSeen = extractjson("$.InternetFacingLastSeen", InternetFacingInfo, typeof(datetime)) 
| summarize arg_max(Timestamp, *) by DeviceId
```

```kql
// SMB
DeviceInfo 
| where Timestamp > ago(7d) 
| where IsInternetFacing 
| extend InternetFacingInfo = AdditionalFields 
| extend InternetFacingReason = extractjson("$.InternetFacingReason", InternetFacingInfo, typeof(string)),
    InternetFacingLocalPort = extractjson("$.InternetFacingLocalPort", InternetFacingInfo, typeof(int)), InternetFacingScannedPublicPort = extractjson("$.InternetFacingScannedPublicPort",
    InternetFacingInfo, typeof(int)), InternetFacingScannedPublicIp = extractjson("$.InternetFacingScannedPublicIp", InternetFacingInfo, typeof(string)),
    InternetFacingLocalIp = extractjson("$.InternetFacingLocalIp", InternetFacingInfo, typeof(string)), InternetFacingTransportProtocol=extractjson("$.InternetFacingTransportProtocol", 
    InternetFacingInfo, typeof(string)), InternetFacingLastSeen = extractjson("$.InternetFacingLastSeen", InternetFacingInfo, typeof(datetime)) 
| summarize arg_max(Timestamp, *) by DeviceId
| project
    DeviceName,
    IsInternetFacing,
    InternetFacingReason,
    InternetFacingLocalIp,
    InternetFacingLocalPort,
    InternetFacingScannedPublicIp,
    InternetFacingScannedPublicPort
| where InternetFacingLocalPort == 139 or InternetFacingLocalPort == 445

```

Explanation

The query is used to gather information about internet-facing devices using Microsoft Defender for Endpoint. It retrieves data from the DeviceInfo table, filters for devices that are internet-facing, and extracts specific fields related to internet-facing information. The query then summarizes the data by the DeviceId and returns the latest information for each device. The second query adds additional filtering to only include devices with specific local ports (139 or 445) related to SMB (Server Message Block) protocol.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceInfo

Keywords

Devices,Intune,User

Operators

whereextendextractjsonsummarizebyproject==or

Actions