Adversaries may exploit critical ports opened to the entire internet to gain unauthorized access or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential attack vectors before they are leveraged in a real compromise.
KQL Query
//Check critical ports opened to the entire internet
AzureDiagnostics
| where Category == "NetworkSecurityGroupEvent"
| where direction_s == "In"
| where conditions_destinationPortRange_s in (
"22","22-22" //SSH
,"3389","3389-3389" //RDP
,"137","137-137" //NetBIOS
,"138","138-138" //NetBIOS
,"139","139-139" //SMB
,"53","53-53" //DNS
,"3020","3020-3020" //CIFS
,"3306","3306-3306" //MySQL
,"1521","1521-1521" //Oracle Database
,"2483","2483-2483" //Oracle Database
,"5432","5432-5432" //PostgreSQL
,"389","389-389" //LDAP
,"27017","27017-27017"//MongoDB
,"20","20-20" //FTP
,"21","21-21" //FTP
,"445","445-445" //Active Directory
,"161","161-161" //SNMP
,"25","25-25" //SMTP
)
or (conditions_destinationPortRange_s == "0-65535" and conditions_sourcePortRange_s == "0-65535")
| where priority_d < 65000 //Not to check the Azure defaults
| where conditions_sourceIP_s == "0.0.0.0/0,0.0.0.0/0" or conditions_sourceIP_s == "0.0.0.0/0" //With rules Any/Any
| where type_s !~ "block"
| order by TimeGenerated desc
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by OperationName, systemId_g, vnetResourceGuid_g, subnetPrefix_s, macAddress_s, primaryIPv4Address_s, ruleName_s, direction_s, priority_d, type_s, conditions_destinationIP_s, conditions_destinationPortRange_s, conditions_sourceIP_s, conditions_sourcePortRange_s, ResourceId
| extend timestamp = StartTime
id: 66d494c0-233c-438a-9b1b-5fe839790d38
name: Check critical ports opened to the entire internet
description: |
'Discover all critical ports from a list having rules like 'Any' for sourceIp, which means that they are opened to everyone. Critial ports should not be opened to everyone, and should be filtered.'
requiredDataConnectors:
- connectorId: WAF
dataTypes:
- AzureDiagnostics
tactics:
- InitialAccess
query: |
//Check critical ports opened to the entire internet
AzureDiagnostics
| where Category == "NetworkSecurityGroupEvent"
| where direction_s == "In"
| where conditions_destinationPortRange_s in (
"22","22-22" //SSH
,"3389","3389-3389" //RDP
,"137","137-137" //NetBIOS
,"138","138-138" //NetBIOS
,"139","139-139" //SMB
,"53","53-53" //DNS
,"3020","3020-3020" //CIFS
,"3306","3306-3306" //MySQL
,"1521","1521-1521" //Oracle Database
,"2483","2483-2483" //Oracle Database
,"5432","5432-5432" //PostgreSQL
,"389","389-389" //LDAP
,"27017","27017-27017"//MongoDB
,"20","20-20" //FTP
,"21","21-21" //FTP
,"445","445-445" //Active Directory
,"161","161-161" //SNMP
,"25","25-25" //SMTP
)
or (conditions_destinationPortRange_s == "0-65535" and conditions_sourcePortRange_s == "0-65535")
| where priority_d < 65000 //Not to check the Azure defaults
| where conditions_sourceIP_s == "0.0.0.0/0,0.0.0.0/0" or conditions_sourceIP_s == "0.0.0.0/0" //With rules Any/Any
| where type_s !~ "block"
| order by TimeGenerated desc
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by OperationName, systemId_g, vnetResourceGuid_g, subnetPrefix_s, macAddress_s, primaryIPv4Address_s, ruleName_s, direction_s, priority_d, type_s, conditions_destinationIP_s, conditions_destinationPortRange_s, conditions_sourceIP_s, conditions_sourcePortRange_s, ResourceId
| extend timestamp = StartTime
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Alethor
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]| Sentinel Table | Notes |
|---|---|
AzureDiagnostics | Ensure this data connector is enabled |
Scenario: Scheduled Job for System Updates
Description: A scheduled job runs nightly to update system packages, which temporarily opens critical ports (e.g., port 80 or 443) for a short period to fetch updates from a known repository.
Filter/Exclusion: Exclude traffic originating from the update server IP or use a time-based filter to ignore activity during the scheduled update window (e.g., src_ip == 192.168.1.100 or timestamp between '23:00' and '01:00').
Scenario: Internal Monitoring Tool Communication
Description: An internal monitoring tool (e.g., Prometheus or Nagios) communicates with a central server over a critical port (e.g., port 9090) to collect metrics, which is allowed for internal monitoring purposes.
Filter/Exclusion: Exclude traffic to/from the monitoring tool’s IP range (e.g., src_ip in [10.0.0.0/24] or dst_ip in [10.0.1.0/24]).
Scenario: Database Replication Over Public Cloud
Description: A database replication process (e.g., PostgreSQL streaming replication) uses a critical port (e.g., port 5432) to synchronize data between instances hosted in a public cloud environment, which is considered secure due to network segmentation.
Filter/Exclusion: Exclude traffic between known replication IPs (e.g., src_ip in [10.0.2.0/24] and dst_ip in [10.0.3.0/24]) or use a port-based exclusion for the replication port.
Scenario: Admin Task for Port Forwarding
Description: An admin temporarily opens a