KQL Search

Query Details

Network Devices With Most Open Ports

Query

# List the devices with the most open ports
----
### Defender For Endpoint

```
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort < 5000 //Remove open TCP ports
| where LocalIP !="127.0.0.1" // Will generate a lot of false positives
| summarize TotalOpenPorts = dcount(LocalPort), OpenPortsList = make_set(LocalPort) by DeviceName
| sort by TotalOpenPorts
```
### Sentinel
```
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort < 5000 //Remove open TCP ports
| where LocalIP !="127.0.0.1" // Will generate a lot of false positives
| summarize TotalOpenPorts = dcount(LocalPort), OpenPortsList = make_set(LocalPort) by DeviceName
| sort by TotalOpenPorts
```

Explanation

The query lists the devices that have the most open ports. It filters out open TCP ports below 5000 and excludes the local IP address to avoid false positives. It then summarizes the total number of open ports and creates a list of those ports for each device. The devices are sorted based on the total number of open ports.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,DefenderForEndpoint,Sentinel

Operators

wheresummarizedcountmake_setbysort

KQL Search

Network Devices With Most Open Ports

Query

Explanation

Details

Actions