Query Details
Devices With Most SMB Connections
Query
# Hunt for devices with the most SMB connections ## Query Information #### Description This hunting query lists all the devices and the unique connections they have made with a remote SMB port. Devices with a large number of connected SMB sessions can be interesting to investigate. ## Defender For Endpoint ``` DeviceNetworkEvents | where RemotePort == 445 | where ActionType == "ConnectionSuccess" // Collect the last event that a device has connected via SMB to a unique remote IP | summarize arg_max(Timestamp, *) by DeviceId, RemoteIP | summarize SMBSessions = make_set(RemoteUrl) by DeviceName | extend TotalSMBConnections = array_length(SMBSessions) | sort by TotalSMBConnections ``` ## Sentinel ``` DeviceNetworkEvents | where RemotePort == 445 | where ActionType == "ConnectionSuccess" // Collect the last event that a device has connected via SMB to a unique remote IP | summarize arg_max(TimeGenerated, *) by DeviceId, RemoteIP | summarize SMBSessions = make_set(RemoteUrl) by DeviceName | extend TotalSMBConnections = array_length(SMBSessions) | sort by TotalSMBConnections ```
Explanation
This query identifies devices that have made the most connections to a remote SMB port. It filters for successful SMB connections and collects the last event for each device connected to a unique remote IP. It then summarizes the data by device name, counting the number of unique SMB sessions for each device. The results are sorted by the total number of SMB connections.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,RemotePort,ActionType,Timestamp,DeviceId,RemoteIP,RemoteUrl,DeviceName,TotalSMBConnections
Operators
where|==summarizearg_max*byRemotePortActionTypeTimestampDeviceIdRemoteIPDeviceNameRemoteUrlextendTotalSMBConnectionsarray_lengthsort