Categoría: Network

  • Detect External Sources scanning my exposed devices

    I had pending to research external IP’s scanning exposure devices in my organisation. Therefore, I decided to create a KQL Query to detect ExternalSource IP’s that are scanning my exposed devices because if I see some IP’s triggering scans multiple times or in multiple devices… I would suggest to block…

  • Potential Threats or network anomalies related to ICMP Inbound Connections

    Hey there! September’s back, and it looks like hackers took a break last month, but now they’re back at it with more suspicious connections popping up. I was digging through the network logs and checking out data related to the ICMP protocol, which is often used by devices like routers…

  • Methods used to establish secure communication over insecure channels

    Delving deeper into the topic of encryption of communications on our devices, I have been understanding and reading about different fields related to it. In this case, I have been researching about the ‘curve’ value into AdditionalFields field of DeviceNetworkEvents table which I identified into iana.org in two groups ‘Elliptic…

  • Detecting Potential Malicious ISP’s and their IP’s associated

    This query helps to identify ISPs where a successful sign-in was never completed, providing you with a list of malicious IPs associated, ISP country, and allowing you to set the threshold for malicious sign-in attempts.Therefore… ISPs without success user connections and just failure attempts trying to take user credentials/tokens during…

  • Communication at risk due to the encryption algorithms (Ciphers) in use

    This time, I’m excited to share a shiny new KQL query that dives into the encrypted connections our devices are making. 🔒💻. To do this, I use the DeviceNetworkEvents table filtering by connections where there are encryption algorithms used. Then, I take a list of the encryption algorithms database from…

  • Classifying HTTP Status Code and detecting possible Threats

    While exploring the DeviceNetworkEvents table in Defender XDR, I wanted to dig deeper into the different actions behind various HTTP status codes. I started with a few queries to identify cases where specific status codes were appearing repeatedly, and I uncovered some interesting insights, such as: – Users consistently accessing…

  • Devices with external RDP connections

    This query identifies devices in the DeviceEvents table that are initiating RDP connections and provides the location of the remote IP addresses.The DeviceEvents table has a column called ‘LocalIP ’ which can be confusing but also includes RemoteIPs. I have added a line to only see entries where the IP…