Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Discovering internet-facing devices using Microsoft Defender for Endpoint

NimrodRoimy's avatar
NimrodRoimy
Icon for Microsoft rankMicrosoft
Apr 18, 2023

Last year, we announced the evolution of the device inventory view in Microsoft Defender for Endpoint. The revamped device inventory view gave SOC analysts visibility into all discovered devices, counts and functional features (such as, search) that enhanced the overall user experience. To build on top of this work, we are expanding our device discovery capabilities through our existing network telemetry and RiskIQ integration. We’re thrilled to announce the ability to discover internet-facing devices is now in public preview.

 

Threat actors are constantly scanning the internet to identify exposed devices, whether it’s part of an opportunistic malicious activity or a wider targeted campaign. These devices serve as highly accessible entry points to an organization’s environment. Mapping your organization’s external attack surface is a key part of security posture management. However, security teams are faced with the challenges of identifying and prioritizing exposed devices to address the greatest threats on their most critical devices.

 

To help organizations extend their threat protection across internet-facing devices, Microsoft Defender for Endpoint will automatically map and flag onboarded devices that are exposed to the internet in the Microsoft 365 Defender portal, providing more context to security teams and deeper insights into device exploitability.  By providing a view into internet-facing devices, security teams can better prioritize alerts, recommendations and incidents as internet-facing devices oftentimes become an adversary's entry point into the corporate network.  

 

New capabilities to map internet-facing devices

Mapping internet-facing devices is often challenging since there is not a single indicator or logic used to determine that a device is accessible from the internet. With many organizations using public IP ranges, numerous data sources, and classification logics to cross-reference their devices, these varying methodologies make it more difficult for admins to gather the visibility and verify the accuracy of the insights generated across their digital estate. With the new capabilities in Microsoft 365 Defender, we can leverage our existing Microsoft Defender for Endpoint telemetries and integration with RiskIQ to map internet-facing devices through a standardized approach that helps gather these insights with precision and less manual effort.

 

Integration with RiskIQ

RiskIQ has catalogued the services, applications, and devices exposed on the IPv4 Internet. By leveraging the integration within Microsoft Defender for Endpoint, administrators are able to identify the exact devices that are internet facing. In addition to gaining visibility into internet-facing devices, the RiskIQ integration works hand-in-hand with Defender for Endpoint’s network traffic parsing capability, to provide concrete evidence of network exposures through the obscured view of the NAT.

 

Relying on Microsoft Defender for Endpoint Signals

The device network connections captured as part of Microsoft Defender for Endpoint signals help to identify internet-facing devices. Using this information, we can identify which external, incoming connections indicate a machine to be facing the internet.

 

To identify the external IPs that are communicating with internal devices, we need to determine which subnets are part of the corporate network. We can see subnets for machines that are protected by Defender for Endpoint. This information helps to determine whether a connection captured by Microsoft Defender for Endpoint is internal, or external.

 

Let’s take a look at the user experience

 The classified internet-facing devices will appear with the corresponding tag in the device inventory and will also be available via Advanced Hunting.

 

 

 

Notice how the internet-facing devices which were publicly scanned and masked behind the NAT configuration, can now be observed as part of the below query results.

 

 

 

Figure 2 - Querying for internet facing devices via Advanced Hunting

 

The device pane now shows the internet-facing properties:

 

 

Figure 3 - Device pane

 

Try this for yourself by using this example query which returns the latest results on internet-facing devices:

 

 

DeviceInfo 
| where Timestamp > ago(7d) 
| where IsInternetFacing 
| extend InternetFacingInfo = AdditionalFields 
| extend InternetFacingReason = extractjson("$.InternetFacingReason", InternetFacingInfo, typeof(string)), InternetFacingLocalPort = extractjson("$.InternetFacingLocalPort", InternetFacingInfo, typeof(int)), InternetFacingScannedPublicPort = extractjson("$.InternetFacingScannedPublicPort", InternetFacingInfo, typeof(int)), InternetFacingScannedPublicIp = extractjson("$.InternetFacingScannedPublicIp", InternetFacingInfo, typeof(string)), InternetFacingLocalIp = extractjson("$.InternetFacingLocalIp", InternetFacingInfo, typeof(string)), InternetFacingTransportProtocol=extractjson("$.InternetFacingTransportProtocol", InternetFacingInfo, typeof(string)), InternetFacingLastSeen = extractjson("$.InternetFacingLastSeen", InternetFacingInfo, typeof(datetime)) 
| summarize arg_max(Timestamp, *) by DeviceId

 

 

The results here will provide streamed instances of the internet-facing devices with their aggregated evidence in the “AdditionalFields” column.

 

For example:

InternetFacingLastSeen – last time the device was updated as internet facing.

InternetFacingReason – the detection method used to identify internet facing.

InternetFacingPublicScannedIp – what the external address is, in case NAT was detected.

 

Resources

For those looking to learn more about device discovery, here are some additional resources you can explore.

  1. Learn more about Investigating internet-facing devices
  2. Learn more about Microsoft Defender Device Discovery
  3. Learn more about Network Device Discovery
Updated Apr 24, 2023
Version 5.0
microsoft defender for endpoint

15 Comments

Show More
  • Joanne_speirs2275's avatar
    Joanne_speirs2275
    Copper Contributor
    May 12, 2023

    Help i downloaded this for internet security bc my wifi etc keeps vetting hacked cyber crime etc please help me secure my wifi and get 2 corrupt police officers off my yahoo account they are accsessing via my old phone i am not a crim we are a fam of 4 and have been relentld

  • PJR_CDF's avatar
    PJR_CDF
    Iron Contributor
    Apr 24, 2023

    NimrodRoimy 

     

    This is a really useful capability so thought I'd kick the tyres and see whats what. 

     

    Following the documentation here - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/internet-facing-devices?view=o365-worldwide I started looking at devices in my environment tagged as "Internet Facing". When looking in the device list and filtering based on "internet facing" the results return 1 device in the last 30 days.

     

    If I use the advanced hunting query from the same article, the results include 15 devices from the last 30 days that have "IsinternetFacing" set as "1", but data is only present in InternetFacingInfo for 4 of the 15 devices (the 4 includes the 1 device returned by the Device list filter).

     

    1) Why the discrepancy between the Adv Hunting data and the data returned in the devices list?
    2) Why do only 4 of the 15 returned devices in Advanced hunting have InternetFacingInfo returned?
    3) For the device returned in the Devices view it states the device was detected by an external scan - has this device been picked up by an actual external scan or has the result been inferred based on data from MDE?

     

    All the identified protocols in my environment were UDP but again when I check using the KQL in the documentation no results are returned - I assume this means that no actual connections were made?

     

    In those circumstances is the calculation of a device being internet facing a purely theoretical one based on analysis of the devices local firewall config and what would happen if the device was accessible on the public internet, or does the calculation of a device being "internet facing" take NAT/Firewall provided by upstream hardware into account - ie the device being flagged is actually accessible via the identified method from the public internet?

     

  • Philost's avatar
    Philost
    Brass Contributor
    Apr 24, 2023

    I have the same question as jschwager 

     

     Have seen devices reporting “IsInternetFacing” yet with no “InternetFacingPublicScannedIp” value and investigation shows TCP connections from public IPs that are owned by devices in our company that are part of a network firewalled from the public Internet (although using non RFC1918 network addresses)

     

     Is a RiskIQ “scan” (connection) required to trigger “IsInternetFacing”? Or does non RFC1918 IPs observed on the device by MDE also trigger “IsInternetFacing” to be true?

     

    NimrodRoimy 

  • jschwager's avatar
    jschwager
    Copper Contributor
    Apr 19, 2023

    The term "external scans" is being used here, but is that actually what's happening, or is MDE just using network data available on the local machine to infer that a device is internet-facing?

  • LoicM's avatar
    LoicM
    Brass Contributor
    Apr 19, 2023

    Hello,

     

    How do you manage to remove false positive when the device are behind a cloud proxy used by other client too?

    A public IP found by RiskIQ don't always belong only to one host ?

    You should edit your link and remove the Rewiew part :  https://review.learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/internet-facing-devices?view=o365-worldwide&branch=siosulli-internetfacing#use-advanced-hunting