Query Details

Detect the usage of weak SSH sessions

Weak SSH Version Used

Query

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "SSH"
| where SignatureMatchedContent == 'SSH-1'
| project-reorder TimeGenerated, DeviceName, RemoteIP, LocalIP

About this query

Detect the usage of weak SSH sessions


Defender XDR

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "SSH"
| where SignatureMatchedContent == 'SSH-1'
| project-reorder Timestamp, DeviceName, RemoteIP, LocalIP

Sentinel

Explanation

This query is designed to detect the use of weak SSH sessions, specifically those using the outdated SSH-1 protocol. It does this by examining network events where a network signature inspection has occurred. Here's a simple breakdown of what the query does:

  1. Source of Data: It looks at network events recorded in a table called DeviceNetworkEvents.

  2. Filter by Action Type: It filters the events to only include those where the action type is "NetworkSignatureInspected", meaning the network traffic has been analyzed for known patterns or signatures.

  3. Extract Additional Information: It extracts additional details from a field called AdditionalFields, specifically looking for the SignatureName, SignatureMatchedContent, and SamplePacketContent.

  4. Focus on SSH Traffic: It further filters the data to focus only on events where the SignatureName is "SSH", indicating that the traffic is related to the SSH protocol.

  5. Identify Weak Protocol: It narrows down the results to those where the SignatureMatchedContent is 'SSH-1', which is an older and less secure version of the SSH protocol.

  6. Select and Order Columns: Finally, it selects and orders specific columns for the output: the timestamp of the event, the device name, the remote IP address, and the local IP address.

The query is essentially the same for both Defender XDR and Sentinel, with a slight difference in the timestamp column name (Timestamp for Defender XDR and TimeGenerated for Sentinel).

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsSignatureNameMatchedContentSamplePacketTimestampRemoteIPLocalTimeGenerated

Operators

whereextendtostringparse_jsonproject-reorder

Actions

GitHub