Query Details
Devices With The Most SMB Sessions
Query
# Devices with the most SMB connections
## Query Information
#### Description
List all devices with the amount of SMB sessions they have.
## Defender For Endpoint
```
let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
DeviceNetworkEvents
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| summarize make_set(DeviceId);
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // THis is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections
```
## Sentinel
```
let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
DeviceNetworkEvents
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| summarize make_set(DeviceId);
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // This is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections
```
#### Versions
| Version | Comment |
| --- | --- |
| 1.0 | Initial commit |
| 1.1 | Timespan update |
Explanation
This query lists all devices and the number of SMB sessions they have. It filters out domain controllers and uses a customizable time frame to show the data.
Details
Bert-Jan Pals
Released: April 17, 2023
Tables
DeviceNetworkEvents
Keywords
Devices,SMB,Connections,DefenderForEndpoint,Sentinel
Operators
letwheresummarizesort bydcount