Internal connections made by compromised device
MDE Internal Connections Made By Compromised Device
Query
// Add the device you are investigating in the CompromisedDevice variable
let CompromisedDevice = "compromiseddevice";
let SearchWindow = 48h; //Customizable h = hours, d = days
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
DeviceNetworkEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
// Only list the succesfull connections
| where ActionType == "ConnectionSuccess"
// MDE Device Discovery filter
| where InitiatingProcessFileName <> "sensendr.exe"
// Add column that identifies RFC 1918 addresses
| extend IsPrivateAddress = ipv4_is_private(RemoteIP)
// Lateral movement is mostly identified by filtering on the private ip addresses and its connections.
// This query is build to detect private IP connections and not public ip connections.
| where IsPrivateAddress == 1
// Filter System related activities performed by local service
| where InitiatingProcessAccountSid != "S-1-5-19"
// Only list the last connection to each IP address.
| summarize arg_max(TimeGenerated, *), ConnectedPorts = make_set(RemotePort) by RemoteIP
| project
RemoteIP,
ConnectedPorts,
RemoteUrl,
InitiatingProcessAccountSid,
InitiatingProcessAccountUpn,
CompromisedDevice = DeviceName
// Join the network info of the remote IP address, to find the devicename that belongs to that IP
| join kind=inner (DeviceNetworkInfo
| where TimeGenerated > ago(SearchWindow)
| extend IPAddres = extract(IPRegex, 0, tostring(IPAddresses))
// See RFC 1918, these are not DHCP or Static addresses. Do leave them if you do NOT have DHCP running.
| where not(ipv4_is_in_range(IPAddres, "169.254.0.0/16"))
| distinct IPAddres, DeviceName)
on $left.RemoteIP == $right.IPAddres
// Only list rows where the compromised device does not equal the RemoteDevice
| where not(CompromisedDevice == DeviceName)
| project RemoteIP, RemoteDeviceName = DeviceName, ConnectedPorts, RemoteUrl, InitiatingProcessAccountSid, InitiatingProcessAccountUpn, CompromisedDevice
// Known false positives:
// Benign Edge Traffic, which did not initate a connection to an actual remote device.
//| where not(tostring(ConnectedPorts) == "[8009,8008]" or tostring(ConnectedPorts) == "[8008,8009]" or tostring(ConnectedPorts) == "[8009]" or tostring(ConnectedPorts) == "[8009]")About this query
Explanation
This query is designed to help identify unusual network activity from a potentially compromised device within an organization's internal network. Here's a simplified breakdown of what the query does:
-
Setup: You specify the device you suspect is compromised and set a time window (e.g., the last 48 hours) to look for network activity.
-
Filter Events: The query looks at network events from the specified device within the time window. It only considers successful network connections and excludes certain system processes and services that are typically benign.
-
Private IP Focus: It focuses on connections to private IP addresses (internal network), which are more relevant for detecting lateral movement within the organization.
-
Summarize Connections: For each internal IP address the compromised device connected to, the query lists the most recent connection and the ports used.
-
Enrich Data: It attempts to match each internal IP address with a device name to better understand which devices the compromised device communicated with.
-
Exclude Self-Connections: The query ensures that it only lists connections to other devices, not the compromised device itself.
-
Output: The final result shows the internal IP addresses, the corresponding device names, ports used, and some account information related to the connections.
This query is useful for incident response teams to quickly identify potential lateral movement or unusual connection patterns from a compromised device, aiding in the investigation and containment of security incidents.
Details

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators