Microsoft
Microsoft
This is a really useful capability so thought I'd kick the tyres and see whats what.
Following the documentation here - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/internet-facing-devices?view=o365-worldwide I started looking at devices in my environment tagged as "Internet Facing". When looking in the device list and filtering based on "internet facing" the results return 1 device in the last 30 days.
If I use the advanced hunting query from the same article, the results include 15 devices from the last 30 days that have "IsinternetFacing" set as "1", but data is only present in InternetFacingInfo for 4 of the 15 devices (the 4 includes the 1 device returned by the Device list filter).
1) Why the discrepancy between the Adv Hunting data and the data returned in the devices list?
2) Why do only 4 of the 15 returned devices in Advanced hunting have InternetFacingInfo returned?
3) For the device returned in the Devices view it states the device was detected by an external scan - has this device been picked up by an actual external scan or has the result been inferred based on data from MDE?
All the identified protocols in my environment were UDP but again when I check using the KQL in the documentation no results are returned - I assume this means that no actual connections were made?
In those circumstances is the calculation of a device being internet facing a purely theoretical one based on analysis of the devices local firewall config and what would happen if the device was accessible on the public internet, or does the calculation of a device being "internet facing" take NAT/Firewall provided by upstream hardware into account - ie the device being flagged is actually accessible via the identified method from the public internet?
