KQL Search

Query Details

Network Open Remote Service Ports

Query

# List the devices with open remote service ports

The database ports defined in the query:
- 22: SSH
- 139: SMB
- 445: SMB
- 3389: RDP
- 5900: VNC
- 5985: WinRM v2
- 5986: WinRM

### Defender For Endpoint

```
let RemoteServices = dynamic([22, 139, 445, 3389, 5900, 5985, 5986]);
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort in (RemoteServices)
| summarize OpenPorts = make_set(LocalPort), TotalOpenRemoteServicesPorts = dcount(LocalPort) by DeviceName
| sort by TotalOpenRemoteServicesPorts
```
### Sentinel
```
let RemoteServices = dynamic([22, 139, 445, 3389, 5900, 5985, 5986]);
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort in (RemoteServices)
| summarize OpenPorts = make_set(LocalPort), TotalOpenRemoteServicesPorts = dcount(LocalPort) by DeviceName
| sort by TotalOpenRemoteServicesPorts
```

Explanation

The query lists the devices that have open remote service ports. It checks for listening connection events on specific ports (SSH, SMB, RDP, VNC, WinRM) and summarizes the number of open ports for each device. The devices are then sorted based on the total number of open remote service ports.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

whereinsummarizemake_setdcountbysort

KQL Search

Network Open Remote Service Ports

Query

Explanation

Details

Actions