I had pending to research external IP’s scanning exposure devices in my organisation. Therefore, I decided to create a KQL Query to detect ExternalSource IP’s that are scanning my exposed devices because if I see some IP’s triggering scans multiple times or in multiple devices… I would suggest to block them 🛑 🛡 ( just for a while, I don’t want to end with firewall blocklist limits 😅 )
DeviceNetworkEvents
// Filter on devices that have been scanned
| where ActionType == "InboundInternetScanInspected"
| project IP_Source_ScannerAttempt=LocalIP,Country_Source_ScannerAttempt=tostring(geo_info_from_ip_address(LocalIP).country), PublicScannedIP= RemoteIP,PublicScannedIP_country=tostring(geo_info_from_ip_address(RemoteIP).country), PublicScannedPort= RemotePort,DeviceName