Total SMB Sessions Created by FileName
SMB Sessions By File Name
Query
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPathAbout this query
Total SMB Sessions Created by FileName
Query Information
Description
Total SMB Sessions Created by FileName
Defender XDR
Sentinel
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath
Explanation
This query is designed to analyze network events related to SMB (Server Message Block) sessions on a network. Here's a simplified explanation of what it does:
-
Time Frame: The query looks at data from the last 24 hours, but this time frame can be adjusted to cover different periods (e.g., hours or days).
-
Data Source: It examines events from
DeviceNetworkEvents, which logs network activities on devices. -
Port Filtering: It specifically filters for events where the remote port is 445, which is commonly used for SMB communication.
-
Exclusions: The query excludes events initiated by two specific processes:
Microsoft.Tri.Sensor.exeandsensendr.exe. These are likely legitimate processes related to security tools (MDI Sensor and MDE Device Discovery), and excluding them helps focus on other potentially interesting activities. -
Counting Unique Connections: For each initiating process (excluding the two specified), it counts the number of unique remote IP addresses that have been connected to. This is done using the
dcount(RemoteIP)function. -
Grouping: The results are grouped by the name of the initiating process and its folder path, providing insight into which processes are creating SMB sessions and from where they are being executed.
In summary, this query helps identify and count unique SMB sessions initiated by different processes on a network, excluding known security-related processes, to potentially spot unusual or unauthorized activities.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators