Query Details
Vuln Internet Exposed Devices
Query
//Use logon and network telemetry to find machines exposed to the internet, then count the critical and high severity vulnerabilities on those devices
//This query only works in Advanced Hunting as the DeviceTvm* tables aren't sent to Sentinel yet
//Data connector required for this query - Advanced Hunting license
//Look for logon events coming from a public IP - query adapted from https://github.com/alexverboon/MDATP/blob/master/AdvancedHunting/Failed%20Logon%20-%20Public%20IP.md
let publicips =
DeviceLogonEvents
| where Timestamp > ago(30d)
| where ActionType in ("LogonFailed", "LogonSuccess")
| where RemoteIPType == "Public"
| distinct RemoteIP;
//Use that same list of IP addresses to search for network traffic coming from those IP's, suggesting the device is available on the internet
let publicdevices=
DeviceNetworkEvents
| where Timestamp > ago (30d)
| where RemoteIPType == "Public"
| where RemoteIP in (publicips)
| distinct DeviceName;
//Find the high and critical vulnerability count for those devices
DeviceTvmSoftwareVulnerabilities
| where DeviceName in (publicdevices)
| summarize ['Vulnerability Count']=dcountif(CveId, VulnerabilitySeverityLevel in ("Critical", "High")) by DeviceName
| sort by ['Vulnerability Count'] desc Explanation
This query uses logon and network telemetry data to identify machines that are exposed to the internet. It then counts the number of critical and high severity vulnerabilities on those devices. Please note that this query can only be executed in Advanced Hunting as the DeviceTvm* tables are not yet available in Sentinel.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceLogonEventsDeviceNetworkEventsDeviceTvmSoftwareVulnerabilities
Keywords
DeviceLogonEvents,DeviceNetworkEvents,DeviceTvmSoftwareVulnerabilities,DeviceName,Timestamp,ActionType,RemoteIPType,RemoteIP,CveId,VulnerabilitySeverityLevel
Operators
letwhereagoindistinctsummarizedcountifbysort