Triggers when a remote public SBM connection has been found
Remote SMB Connection
Query
DeviceNetworkEvents
| where RemoteIPType == "Public"
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| project-reorder Timestamp, DeviceName, RemoteIPAbout this query
Triggers when a remote public SBM connection has been found
Query Information
Description
Triggers when a remote public SBM connection has been found
Defender XDR
Sentinel
DeviceNetworkEvents
| where RemoteIPType == "Public"
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| project-reorder TimeGenerated, DeviceName, RemoteIP
Explanation
This query is designed to detect successful network connections to a public IP address on port 445, which is commonly used for SMB (Server Message Block) protocol. The query is applied to network event logs and filters for events where the connection was successful. It then organizes the results to display the timestamp, device name, and remote IP address of the connection.
In simple terms, this query helps identify when a device in your network successfully connects to a public IP using the SMB protocol, which could be a potential security concern.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsRemoteIPTypeRemotePortActionTypeTimestampDeviceNameRemoteIPTimeGenerated
Operators
whereproject-reorder