List the devices with the most open ports
Network Devices With Most Open Ports
Query
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort < 5000 //Remove open TCP ports
| where LocalIP !="127.0.0.1" // Will generate a lot of false positives
| summarize TotalOpenPorts = dcount(LocalPort), OpenPortsList = make_set(LocalPort) by DeviceName
| sort by TotalOpenPortsAbout this query
List the devices with the most open ports
Query Information
Description
List the devices with the most open ports.
Defender XDR
Sentinel
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort < 5000 //Remove open TCP ports
| where LocalIP !="127.0.0.1" // Will generate a lot of false positives
| summarize TotalOpenPorts = dcount(LocalPort), OpenPortsList = make_set(LocalPort) by DeviceName
| sort by TotalOpenPorts
Explanation
This query is designed to identify and list devices that have the most open network ports. Here's a simple breakdown of what the query does:
-
Data Source: It uses data from
DeviceNetworkEvents, which contains information about network activities on devices. -
Filter Criteria:
- It looks for events where a "ListeningConnectionCreated" action has occurred, indicating that a port is open and listening for connections.
- It only considers ports with numbers less than 5000, filtering out higher-numbered ports that are often used for ephemeral or temporary connections.
- It excludes connections to the local IP address "127.0.0.1" (localhost) to avoid false positives, as these are typically internal to the device.
-
Summarization:
- For each device, it counts the distinct number of open ports (
TotalOpenPorts). - It also creates a list of these open ports (
OpenPortsList).
- For each device, it counts the distinct number of open ports (
-
Sorting:
- Finally, it sorts the devices by the total number of open ports, allowing you to see which devices have the most open ports at the top of the list.
In essence, this query helps identify devices that might be more exposed to network traffic due to having many open ports, which could be a security concern.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceNetworkEvents
Keywords
Devices
Operators
wheresummarizedcountmake_setsort