Query Details
Remote SMB Connection
Query
# Triggers when a remote SBM connection has been found ---- ### Defender For Endpoint ``` DeviceNetworkEvents | where RemoteIPType == "Public" | where RemotePort == 445 | where ActionType == "ConnectionSuccess" | project-reorder Timestamp, DeviceName, RemoteIP ``` ### Sentinel ``` DeviceNetworkEvents | where RemoteIPType == "Public" | where RemotePort == 445 | where ActionType == "ConnectionSuccess" | project-reorder TimeGenerated, DeviceName, RemoteIP ```
Explanation
The query looks for events where a successful connection to a remote server has been made using the SMB protocol. It filters the events based on the type of remote IP address (public) and the port number (445). The query then reorders and projects specific columns such as the timestamp (Defender for Endpoint) or the time generated (Sentinel), device name, and remote IP address.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,RemoteIPType,RemotePort,ActionType,Timestamp,DeviceName,RemoteIP,TimeGenerated
Operators
where==|project-reorder