List the devices with interesting open ports
Network Interesting Open Ports
Query
let portlist = dynamic([21, 22, 25, 53, 80, 110, 443, 1433, 1434, 3306, 8080]); //Add relevant ports in the list if needed
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort in (portlist)
| summarize OpenPorts = make_set(LocalPort) by DeviceName
| sort by array_length(OpenPorts)About this query
List the devices with interesting open ports
Query Information
Description
List the devices with interesting open ports
The interesting ports defined in the query:
- 21: FTP
- 22: SSH/SFTP
- 25: SMTP
- 53: DNS
- 80: HTTP
- 110: POP3
- 443: HTTPS
- 1433: MSSQL
- 1434: MSSQL
- 3306: MySQL
- 8080: Alternative HTTP
Defender XDR
Sentinel
let portlist = dynamic([21, 22, 25, 53, 80, 110, 443, 1433, 1434, 3306, 8080]); //Add relevant ports in the list if needed
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort in (portlist)
| summarize OpenPorts = make_set(LocalPort) by DeviceName
| sort by array_length(OpenPorts)
Explanation
This query is designed to identify devices that have certain "interesting" network ports open, which could be indicative of specific services running on those devices. Here's a simple breakdown of what the query does:
-
Define Interesting Ports: The query starts by defining a list of ports that are considered interesting. These ports are associated with common services such as FTP, SSH, HTTP, and database services like MySQL and MSSQL.
-
Filter Network Events: It looks at network events where a device has started listening on a port (indicating that the port is open and ready to accept connections).
-
Check Against Port List: The query filters these events to only include those where the open port matches one of the interesting ports defined earlier.
-
Summarize by Device: For each device, it compiles a list of the interesting ports that are open.
-
Sort Devices: Finally, it sorts the devices based on the number of interesting ports they have open, from the fewest to the most.
In summary, the query identifies devices with open ports that are commonly used for important services, which could be of interest for security monitoring or network management.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators