Categoría: Devices

  • Detect PnP devices connected to my Endpoints

    Lately, I’ve been diving into a bunch of articles and posts about the risks of Bluetooth, USBs, and other Plug-and-Play (PnP) devices.Based on it, I decided to look into DefenderXDR to verify if some table was registering these kind of events and yes, DeviceEvents is doing this job. Basically, you…

  • Detect External Sources scanning my exposed devices

    I had pending to research external IP’s scanning exposure devices in my organisation. Therefore, I decided to create a KQL Query to detect ExternalSource IP’s that are scanning my exposed devices because if I see some IP’s triggering scans multiple times or in multiple devices… I would suggest to block…

  • Non-supported Sense Agent version required for the Contain User action by Attack Disruption

    I knew that Attack Disruption existed but I had never invested time in understanding exactly how it works. In a nutshell, if you have DefenderXDR and some requirements related to licenses and specific settings (which are usually enabled by default) it means that DefenderXDR can take actions automatically over your…

  • Methods used to establish secure communication over insecure channels

    Delving deeper into the topic of encryption of communications on our devices, I have been understanding and reading about different fields related to it. In this case, I have been researching about the ‘curve’ value into AdditionalFields field of DeviceNetworkEvents table which I identified into iana.org in two groups ‘Elliptic…

  • Enriching CVEDevices tables with CVE Mitre Data

    As usual, another week checking some reported CVE’s, what a surprise! 😅Meanwhile I was working on it, I discovered that I often visit CVE Mitre site to get extended information about the CVE’s announced so, why not merge this info with Defender XDR DeviceTvmSoftwareVulnerabilities tables?This query takes the info from…

  • Classifying HTTP Status Code and detecting possible Threats

    While exploring the DeviceNetworkEvents table in Defender XDR, I wanted to dig deeper into the different actions behind various HTTP status codes. I started with a few queries to identify cases where specific status codes were appearing repeatedly, and I uncovered some interesting insights, such as: – Users consistently accessing…

  • Devices with external RDP connections

    This query identifies devices in the DeviceEvents table that are initiating RDP connections and provides the location of the remote IP addresses.The DeviceEvents table has a column called ‘LocalIP ’ which can be confusing but also includes RemoteIPs. I have added a line to only see entries where the IP…