List detected devices by external scan
Public Facing Device Scanned
Query
DeviceNetworkEvents
// Filter on devices that have been scanned
| where ActionType == "InboundInternetScanInspected"
| extend AdditionalFieldsDynamic = todynamic(AdditionalFields)
// Extract all additionalfields
| evaluate bag_unpack(AdditionalFieldsDynamic)
| project TimeGenerated, DeviceName, PublicScannedIp, PublicScannedPortAbout this query
Explanation
This query is designed to identify and list devices within an organization that have been detected by external scans. The purpose is to help manage the organization's security by identifying devices that are exposed to the internet and could potentially be exploited by attackers. Here's a simple breakdown of what the query does:
-
Data Source: The query looks at network events related to devices monitored by Microsoft Defender for Endpoint.
-
Filter Criteria: It specifically filters for events where the action type indicates that the device has been scanned from the internet ("InboundInternetScanInspected").
-
Data Extraction: It extracts additional information from the event data, such as the timestamp of the scan, the name of the device, the public IP address that was scanned, and the port that was open.
-
Output: The query lists these details for each scanned device. This information can be used to assess which devices are exposed to the internet and to determine if any firewall rules need to be adjusted to protect these devices.
-
Purpose: By identifying devices that are accessible from the outside, organizations can take steps to secure them, reducing the risk of unauthorized access and potential exploitation by attackers.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators