KQL Search

Query Details

Network Open Database Ports

Query

# List the devices with open database ports

The database ports defined in the query:
- 1433: MSSQL
- 1434: MSSQL
- 1583: Pervasive SQL
- 3050: Firebird & Interbase
- 3306: MySQL
- 3351: Pervasive SQL
- 5432: PostgreSQL


### Defender For Endpoint

```
let databaseports = dynamic([1433, 1434, 1583, 3050, 3306, 3351, 5432]);
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort in (databaseports)
| summarize OpenPorts = make_set(LocalPort), TotalOpenDatabasePorts = dcount(LocalPort) by DeviceName
| sort by TotalOpenDatabasePorts


```
### Sentinel
```
let databaseports = dynamic([1433, 1434, 1583, 3050, 3306, 3351, 5432]);
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort in (databaseports)
| summarize OpenPorts = make_set(LocalPort), TotalOpenDatabasePorts = dcount(LocalPort) by DeviceName
| sort by TotalOpenDatabasePorts
```

Explanation

The query lists the devices that have open database ports. It checks for listening connection events on specific ports associated with different databases and summarizes the number of open ports for each device. The devices are then sorted based on the total number of open database ports.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune

Operators

whereinsummarizemake_setdcountbysort

KQL Search

Network Open Database Ports

Query

Explanation

Details

Actions