Detect the usage of weak SSH sessions

Defender For Endpoint

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "SSH"
| where SignatureMatchedContent == 'SSH-1'
| project-reorder Timestamp, DeviceName, RemoteIP, LocalIP

Sentinel

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "SSH"
| where SignatureMatchedContent == 'SSH-1'
| project-reorder TimeGenerated, DeviceName, RemoteIP, LocalIP

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WeakSSHVersionUsed.md

WeakSSHVersionUsed.md

Detect the usage of weak SSH sessions

Defender For Endpoint

Sentinel

Files

WeakSSHVersionUsed.md

Latest commit

History

WeakSSHVersionUsed.md

File metadata and controls

Detect the usage of weak SSH sessions

Defender For Endpoint

Sentinel