28 строки
1.1 KiB
Plaintext
28 строки
1.1 KiB
Plaintext
// Name: WireData Most Prevalent Inbound Connections by Process
|
|
// Description: Top 10 (most prevalent) for WireData Inbound event by a given process in the range of +-30
|
|
//
|
|
// Id: ab3845ff-ea7d-44b4-b763-b0cacb8450a7
|
|
//
|
|
// Entity: Process
|
|
// Input: Process, ProcessName
|
|
// Output: Computer, Process, IP
|
|
//
|
|
// QueryPeriod: +-30m
|
|
//
|
|
// Data Source: WireData
|
|
//
|
|
// Tactics: #Probing, #Discovery, #LateralMovement, #Collection
|
|
//
|
|
let GetWireDataInboundWithProcess = (suspiciousEventTime:datetime, v_Process:string){
|
|
let v_StartTime = suspiciousEventTime-30m;
|
|
let v_EndTime = suspiciousEventTime+30m;
|
|
WireData
|
|
| where TimeGenerated between (v_StartTime .. v_EndTime)
|
|
| where Direction == "Inbound"
|
|
| where ProcessName has v_Process
|
|
| summarize min(SessionStartTime), count() by Computer, ProcessName , LocalIP, LocalPortNumber, RemoteIP, Direction, ApplicationProtocol
|
|
| top 10 by count_ desc
|
|
| project min_SessionStartTime, Computer, ProcessName , LocalIP, LocalPortNumber, RemoteIP, Direction, ApplicationProtocol, count_
|
|
};
|
|
// change datetime value and <processname> value below
|
|
GetWireDataInboundWithProcess(datetime('2019-01-30T10:36:07Z'), "<processname>") |