Detect the usage of weak SSH sessions
Weak SSH Version Used
Query
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "SSH"
| where SignatureMatchedContent == 'SSH-1'
| project-reorder TimeGenerated, DeviceName, RemoteIP, LocalIPAbout this query
Detect the usage of weak SSH sessions
Defender XDR
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "SSH"
| where SignatureMatchedContent == 'SSH-1'
| project-reorder Timestamp, DeviceName, RemoteIP, LocalIP
Sentinel
Explanation
This query is designed to detect the use of weak SSH sessions, specifically those using the outdated SSH-1 protocol. It does this by examining network events where a network signature inspection has occurred. Here's a simple breakdown of what the query does:
-
Source of Data: It looks at network events recorded in a table called
DeviceNetworkEvents. -
Filter by Action Type: It filters the events to only include those where the action type is "NetworkSignatureInspected", meaning the network traffic has been analyzed for known patterns or signatures.
-
Extract Additional Information: It extracts additional details from a field called
AdditionalFields, specifically looking for theSignatureName,SignatureMatchedContent, andSamplePacketContent. -
Focus on SSH Traffic: It further filters the data to focus only on events where the
SignatureNameis "SSH", indicating that the traffic is related to the SSH protocol. -
Identify Weak Protocol: It narrows down the results to those where the
SignatureMatchedContentis 'SSH-1', which is an older and less secure version of the SSH protocol. -
Select and Order Columns: Finally, it selects and orders specific columns for the output: the timestamp of the event, the device name, the remote IP address, and the local IP address.
The query is essentially the same for both Defender XDR and Sentinel, with a slight difference in the timestamp column name (Timestamp for Defender XDR and TimeGenerated for Sentinel).
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators