Query Details
Device Visualize Port22proccesses
Query
//Summarize and visualize the different parent filenames initiating TCP port 22 connections //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query DeviceNetworkEvents | where TimeGenerated > ago(30d) | where ActionType == "ConnectionSuccess" | where RemotePort == 22 | where isnotempty(InitiatingProcessFileName) | summarize Count=count() by InitiatingProcessFileName | top 20 by Count | render barchart with (title="Proccesses initiating TCP port 22 connections") //Advanced Hunting query //Data connector required for this query - Advanced Hunting license DeviceNetworkEvents | where Timestamp > ago(30d) | where ActionType == "ConnectionSuccess" | where RemotePort == 22 | where isnotempty(InitiatingProcessFileName) | summarize Count=count() by InitiatingProcessFileName | top 20 by Count //Advanced hunting doesn't support barcharts, so can render as a piechart or just remove the line below for a table | render piechart
Explanation
This query summarizes and visualizes the different parent filenames that initiate TCP port 22 connections. It retrieves data from the DeviceNetworkEvents table in the M365 Defender or Advanced Hunting data connector. It filters the data to include only successful connection events on port 22 and where the initiating process filename is not empty. It then groups the data by the initiating process filename and counts the occurrences. The top 20 filenames with the highest counts are displayed in a bar chart titled "Processes initiating TCP port 22 connections" in Microsoft Sentinel. In Advanced Hunting, the query is similar but the visualization is either a pie chart or a table.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators