28 строки
1.1 KiB
Plaintext
28 строки
1.1 KiB
Plaintext
// Name: WireData Most Prevalent Outbound Connections by IPAddress
|
|
// Description: Top 10 (most prevalent) for WireData Outbound event by a given IPAddress in the range of +-30m
|
|
//
|
|
// Id: f95ebeb5-07a4-40c3-9d91-60065436b0e6
|
|
//
|
|
// Entity: IPAddress
|
|
// Input: IPAddress
|
|
// Output: Computer, Process, IP
|
|
//
|
|
// QueryPeriod: +-30m
|
|
//
|
|
// Data Source: WireData
|
|
//
|
|
// Tactics: #Probing, #Discovery, #LateralMovement, #Collection
|
|
//
|
|
let GetWireDataOutboundWithHost = (suspiciousEventTime:datetime, v_IPAddress:string){
|
|
let v_StartTime = suspiciousEventTime-1d;
|
|
let v_EndTime = suspiciousEventTime+1d;
|
|
WireData
|
|
| where TimeGenerated between (v_StartTime .. v_EndTime)
|
|
| where Direction == "Outbound"
|
|
| where LocalIP has v_IPAddress
|
|
| summarize min(SessionStartTime), count() by Computer, ProcessName , LocalIP, LocalPortNumber, RemoteIP, Direction, ApplicationProtocol
|
|
| top 10 by count_ desc
|
|
| project min_SessionStartTime, Computer, ProcessName , LocalIP, LocalPortNumber, RemoteIP, Direction, ApplicationProtocol, count_
|
|
};
|
|
// change datetime value and <processname> value below
|
|
GetWireDataOutboundWithHost(datetime('2019-03-31T10:36:07Z'), "<hostname>") |