Query Details

Triggers when a remote public SBM connection has been found

Remote SMB Connection

Query

DeviceNetworkEvents
| where RemoteIPType == "Public"
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| project-reorder Timestamp, DeviceName, RemoteIP

About this query

Triggers when a remote public SBM connection has been found

Query Information

Description

Triggers when a remote public SBM connection has been found

Defender XDR

Sentinel

DeviceNetworkEvents
| where RemoteIPType == "Public"
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| project-reorder TimeGenerated, DeviceName, RemoteIP

Explanation

This query is designed to detect successful network connections to a public IP address on port 445, which is commonly used for SMB (Server Message Block) protocol. The query is applied to network event logs and filters for events where the connection was successful. It then organizes the results to display the timestamp, device name, and remote IP address of the connection.

In simple terms, this query helps identify when a device in your network successfully connects to a public IP using the SMB protocol, which could be a potential security concern.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteIPTypeRemotePortActionTypeTimestampDeviceNameRemoteIPTimeGenerated

Operators

whereproject-reorder

Actions

GitHub