Show all successful SMB connections of a compromised device

Defender For Endpoint

let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"

Sentinel

let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MDE - Open-SMB-Connections-By-Compromised-Device.md

MDE - Open-SMB-Connections-By-Compromised-Device.md

Show all successful SMB connections of a compromised device

Defender For Endpoint

Sentinel

Files

MDE - Open-SMB-Connections-By-Compromised-Device.md

Latest commit

History

MDE - Open-SMB-Connections-By-Compromised-Device.md

File metadata and controls

Show all successful SMB connections of a compromised device

Defender For Endpoint

Sentinel