Categoría: Network
-
Detect External Sources scanning my exposed devices
•
I had pending to research external IP’s scanning exposure devices in my organisation. Therefore, I decided to create a KQL Query to detect ExternalSource IP’s that are scanning my exposed devices because if I see some IP’s triggering scans multiple times or in multiple devices… I would suggest to block…
-
Potential Threats or network anomalies related to ICMP Inbound Connections
•
Hey there! September’s back, and it looks like hackers took a break last month, but now they’re back at it with more suspicious connections popping up. I was digging through the network logs and checking out data related to the ICMP protocol, which is often used by devices like routers…
-
Methods used to establish secure communication over insecure channels
•
Delving deeper into the topic of encryption of communications on our devices, I have been understanding and reading about different fields related to it. In this case, I have been researching about the ‘curve’ value into AdditionalFields field of DeviceNetworkEvents table which I identified into iana.org in two groups ‘Elliptic…
-
Detecting Potential Malicious ISP’s and their IP’s associated
•
This query helps to identify ISPs where a successful sign-in was never completed, providing you with a list of malicious IPs associated, ISP country, and allowing you to set the threshold for malicious sign-in attempts.Therefore… ISPs without success user connections and just failure attempts trying to take user credentials/tokens during…
-
Communication at risk due to the encryption algorithms (Ciphers) in use
•
This time, I’m excited to share a shiny new KQL query that dives into the encrypted connections our devices are making. 🔒💻. To do this, I use the DeviceNetworkEvents table filtering by connections where there are encryption algorithms used. Then, I take a list of the encryption algorithms database from…
-
Classifying HTTP Status Code and detecting possible Threats
•
While exploring the DeviceNetworkEvents table in Defender XDR, I wanted to dig deeper into the different actions behind various HTTP status codes. I started with a few queries to identify cases where specific status codes were appearing repeatedly, and I uncovered some interesting insights, such as: – Users consistently accessing…
-
Devices with external RDP connections
•
This query identifies devices in the DeviceEvents table that are initiating RDP connections and provides the location of the remote IP addresses.The DeviceEvents table has a column called ‘LocalIP ’ which can be confusing but also includes RemoteIPs. I have added a line to only see entries where the IP…