Consultas para a tabela NetworkSessions

Obter tráfego para portas não padrão

Esta consulta identifica os endereços IP de origem que enviam pedidos de ligação através de várias portas. Isto pode ser uma indicação de tentativas de adversários para listar os serviços disponíveis. Referências: Análise de Serviços de Rede MITRE (T1046)

// This query identifies source IP addresses sending connection requests over multiple ports.
// This could be an indication of adversary attempts to list available services.
// References: MITRE Network Service Scanning (T1046)
let threshold=5;
// Used to filter commonly used ports in your org
let commonPorts=dynamic([443, 53, 389, 80, 0, 880, 8888, 8080]);
 | where isnotempty(DstPortNumber) and not(ipv4_is_private(DstIpAddr) ) 
 // filter out IANA ephemeral or negotiated ports as per
 | where DstPortNumber !between (toint(49512) .. toint(65535)) 
     and DstPortNumber !in (commonPorts)
 | where EventResult == "Failure" 
 | summarize PortCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 2m)
 | where PortCount > threshold

Tráfego de volume elevado para domínios incomuns

Esta consulta identifica os domínios que recebem uma quantidade invulgar de volume de dados. Isto pode ser uma indicação de tentativas do adversário de roubar e exfiltrar dados.

// This query identifies domains receiving uncommon about of data volume.
// This could be an indication of adversary attempts to steal and exfiltrate data.
let isInternal = (url_hostname:string){url_hostname endswith ".local" or url_hostname endswith ".lan" or url_hostname endswith ".home"};
    // used to exclude internal traffic
let top1M =  (externaldata (Position:int, Domain:string) [@""]  with (format="csv", zipPattern="*.csv"));
    // fetch the alexa top 1M domains
let top2ndLevelDomain=top1M
    | extend Domain = tolower(extract("([^.]*).{0,7}$", 1, Domain)) 
    | distinct Domain;
let rareDomainTraffic = NetworkSessions
    | where isnotempty(UrlHostname) and not(isInternal(UrlHostname))
    | extend SndLevelDomain=tolower(extract("([^.]*).{0,7}$", 1, UrlHostname))
    | where SndLevelDomain !in (top2ndLevelDomain)
    | summarize BytesSent=sum(SrcBytes) by SndLevelDomain, UrlHostname;
rareDomainTraffic | summarize TotalBytes=sum(BytesSent) by SndLevelDomain
| join kind=innerunique
        on SndLevelDomain
| sort by TotalBytes desc