31 строка
1.3 KiB
YAML
31 строка
1.3 KiB
YAML
Id: 8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb
|
|
DisplayName: Least Prevalent Outbound Network Connection Destinations
|
|
Description: Bottom 10 (least prevalent) outbound network session destinations by a given host (set time range to +-30m when running the query)
|
|
InputEntityType: Host
|
|
InputFields:
|
|
- HostName
|
|
OutputEntityTypes:
|
|
- Ip
|
|
- DNS
|
|
QueryPeriodBefore: 30m
|
|
QueryPeriodAfter: 30m
|
|
DataSources:
|
|
- _Im_NetworkSession
|
|
Tactics:
|
|
- Discovery
|
|
- LateralMovement
|
|
- Collection
|
|
query: |
|
|
let GetWireDataOutboundWithHost = (v_Host_HostName:string){
|
|
_Im_NetworkSession(hostname_has_any=v_Host_HostName)
|
|
| where EventResult =~ "success"
|
|
| where NetworkDirection =~ "Outbound"
|
|
| extend LocalAppName = column_ifexists("LocalAppName", "")
|
|
| extend info = pack('Computer', DvcHostname, 'LocalPortNumber', DstPortNumber, 'DstIpAddr', Dst, 'SrcIpAddr', Src,'Direction', NetworkDirection, 'NetworkProtocol', NetworkProtocol, "LocalAppName", LocalAppName, "DstFQDN", DstFQDN)
|
|
| summarize Process_Aux_Min_SessionStartTime=min(TimeGenerated), Process_Aux_Max_SessionStartTime=max(TimeGenerated), count(), IP_Aux_info = make_set(info, maxSize=1000) by Dst, Dvc, DstFQDN
|
|
| top 10 by count_ asc
|
|
| project-rename IP_Address=Dst, DomainName=DstFQDN
|
|
};
|
|
// change <HostName> value below
|
|
GetWireDataOutboundWithHost('<HostName>')
|