Query Details

List detected devices by external scan

Public Facing Device Scanned

Query

DeviceNetworkEvents
// Filter on devices that have been scanned
| where ActionType == "InboundInternetScanInspected"
| extend AdditionalFieldsDynamic = todynamic(AdditionalFields)
// Extract all additionalfields
| evaluate bag_unpack(AdditionalFieldsDynamic)
| project TimeGenerated, DeviceName, PublicScannedIp, PublicScannedPort

About this query

Explanation

This query is designed to identify and list devices within an organization that have been detected by external scans. The purpose is to help manage the organization's security by identifying devices that are exposed to the internet and could potentially be exploited by attackers. Here's a simple breakdown of what the query does:

  1. Data Source: The query looks at network events related to devices monitored by Microsoft Defender for Endpoint.

  2. Filter Criteria: It specifically filters for events where the action type indicates that the device has been scanned from the internet ("InboundInternetScanInspected").

  3. Data Extraction: It extracts additional information from the event data, such as the timestamp of the scan, the name of the device, the public IP address that was scanned, and the port that was open.

  4. Output: The query lists these details for each scanned device. This information can be used to assess which devices are exposed to the internet and to determine if any firewall rules need to be adjusted to protect these devices.

  5. Purpose: By identifying devices that are accessible from the outside, organizations can take steps to secure them, reducing the risk of unauthorized access and potential exploitation by attackers.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceNetworkEvents

Keywords

Devices

Operators

whereextendtodynamicevaluatebag_unpackproject

Actions

GitHub