29 строки
912 B
YAML
29 строки
912 B
YAML
Id: 73fb9b8d-fd13-4c43-8136-6d693cafaa23
|
|
DisplayName: Hosts receiving the most amount of data from this IP
|
|
Description: Hosts receiving the most amount of data from this IP during the range of -1d and +1d
|
|
InputEntityType: Ip
|
|
InputFields:
|
|
- Address
|
|
OutputEntityTypes:
|
|
- Host
|
|
QueryPeriodBefore: 1d
|
|
QueryPeriodAfter: 1d
|
|
DataSources:
|
|
- WireData
|
|
Tactics:
|
|
- Exfiltration
|
|
- CommandAndControl
|
|
- Collection
|
|
query: |
|
|
|
|
let HostsReceivingDatafromIP = (v_IP_Address:string){
|
|
WireData
|
|
| parse Computer with HostName '.' Host_DnsDomain
|
|
| where SessionState == 'Disconnected'
|
|
| where RemoteIP =~ v_IP_Address
|
|
| extend Host_HostName = iff(Computer has '.', HostName, Computer)
|
|
| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain
|
|
| top 10 by Host_Aux_BytesReceived desc nulls last
|
|
};
|
|
HostsReceivingDatafromIP('<Address>')
|