Query Details
SMB Sessions By Device
Query
# Total SMB Sessions Created by a suspicious device ### Defender For Endpoint ``` let TimeFrame = 24h; //Customizable h = hours, d = days let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']); DeviceNetworkEvents | where Timestamp > ago(TimeFrame) | where RemotePort == 445 | where ActionType == "ConnectionSuccess" | where DeviceName in~ (SuspiciousDevices) | summarize IPsAccessed = make_set(RemoteIP), TotalIPs = dcount(RemoteIP) by DeviceName ``` ### Sentinel ``` let TimeFrame = 24h; //Customizable h = hours, d = days let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']); DeviceNetworkEvents | where TimeGenerated > ago(TimeFrame) | where RemotePort == 445 | where ActionType == "ConnectionSuccess" | where DeviceName in~ (SuspiciousDevices) | summarize IPsAccessed = make_set(RemoteIP), TotalIPs = dcount(RemoteIP) by DeviceName ``` #### Versions | Version | Comment | | --- | --- | | 1.0 | Initial commit | | 1.1 | Timespan update |
Explanation
The query is looking for suspicious devices that have created SMB sessions. It filters the DeviceNetworkEvents data based on a specific time frame, remote port, action type, and device name. It then summarizes the data by creating a set of remote IPs accessed and counting the total number of unique remote IPs for each device.
Details
Bert-Jan Pals
Released: April 17, 2023
Tables
DeviceNetworkEvents
Keywords
Devices,Intune,User,TotalSMBSessions,SuspiciousDevice,DefenderForEndpoint,Sentinel,TimeFrame,SuspiciousDevices,DeviceNetworkEvents,Timestamp,RemotePort,ActionType,DeviceName,RemoteIP,IPsAccessed,TotalIPs,TimeGenerated
Operators
letdynamicDeviceNetworkEventswhereTimestampagoRemotePortActionTypeDeviceNamein~summarizemake_setRemoteIPTotalIPsdcount