Query Details
Meraki SIGRED
Query
//Looking for SIGRED Cisco_Meraki_CL | where ((record_type == "SIG" or record_type == "sig" or record_type == "RRSIG" or record_type == "rrsig") and network_protocol == "tcp") | summarize dcount_query = dcount(query) by SourceIp | where dcount_query < 15
Explanation
This query is searching for a specific type of network activity called SIGRED. It filters the data based on the record type and network protocol, and then groups the results by the source IP address. Finally, it filters out any source IP addresses that have less than 15 occurrences of the SIGRED activity.
Details
Rod Trent
Released: November 4, 2020
Tables
Cisco_Meraki_CL
Keywords
Cisco,Meraki,SIG,RRSIG,SourceIp
Operators
whereorand================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================