KQL Search

This KQL query is designed to help identify potential exploitation attempts of a new vulnerability (CVE-2025-38501) that affects Linux systems. The vulnerability allows attackers to exhaust SMB connections by using half-open TCP handshakes on port 445. Here's a simple breakdown of what the query does:

1. Filter for Linux Devices: It starts by selecting information from devices that are running a Linux operating system.

2. Join Network Events: It combines this device information with network event data, matching records based on a common device identifier.

3. Focus on Port 445: The query specifically looks for network events where the remote port is 445, which is commonly used for SMB (Server Message Block) connections.

4. Geolocation Information: It adds geolocation information to the results, identifying the country associated with the remote IP address involved in the connection attempt.

5. Summarize Connection Attempts: It counts the number of connection attempts to port 445 for each unique combination of remote IP, geolocation, port, device ID, and device name.

6. Order Results: Finally, it orders the results by the number of connection attempts, allowing analysts to easily identify which IPs are making the most connection attempts.

This query is useful for security analysts using Microsoft Defender XDR to monitor and investigate suspicious network activity related to this specific vulnerability on Linux endpoints.