KQL Search

Query Details

HomeAI ToolsDevice Query

Network Interesting Open Ports

Query

# List the devices with interesting open ports

The interesting ports defined in the query:
- 21: FTP
- 22: SSH/SFTP
- 25: SMTP
- 53: DNS
- 80: HTTP
- 110: POP3
- 443: HTTPS
- 1433: MSSQL
- 1434: MSSQL
- 3306: MySQL
- 8080: Alternative HTTP

## Defender For Endpoint

```
let portlist = dynamic([21, 22, 25, 53, 80, 110, 443, 1433, 1434, 3306, 8080]); //Add relevant ports in the list if needed
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort in (portlist)
| summarize OpenPorts = make_set(LocalPort) by DeviceName
| sort by array_length(OpenPorts)

```
## Sentinel
```
let portlist = dynamic([21, 22, 25, 53, 80, 110, 443, 1433, 1434, 3306, 8080]); //Add relevant ports in the list if needed
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort in (portlist)
| summarize OpenPorts = make_set(LocalPort) by DeviceName
| sort by array_length(OpenPorts)
```

Explanation

The query is looking for devices that have open ports that are considered interesting. The interesting ports are specified in the query and include ports for common protocols such as FTP, SSH, SMTP, DNS, HTTP, POP3, HTTPS, MSSQL, MySQL, and alternative HTTP. The query filters the DeviceNetworkEvents data for events where a listening connection is created and the local port matches one of the interesting ports. It then summarizes the open ports for each device and sorts the results by the number of open ports.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

whereinsummarizemake_setsortbyarray_length

Actions