Skip to content

Latest commit

 

History

History
26 lines (22 loc) · 809 Bytes

Network - DevicesWithMostOpenPorts.md

File metadata and controls

26 lines (22 loc) · 809 Bytes

List the devices with the most open ports

Query Information

Description

List the devices with the most open ports.

Defender XDR

DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort < 5000 //Remove open TCP ports
| where LocalIP !="127.0.0.1" // Will generate a lot of false positives
| summarize TotalOpenPorts = dcount(LocalPort), OpenPortsList = make_set(LocalPort) by DeviceName
| sort by TotalOpenPorts

Sentinel

DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort < 5000 //Remove open TCP ports
| where LocalIP !="127.0.0.1" // Will generate a lot of false positives
| summarize TotalOpenPorts = dcount(LocalPort), OpenPortsList = make_set(LocalPort) by DeviceName
| sort by TotalOpenPorts