KQL Search

Query Details

SMB Sessions By File Name

Query

# Total SMB Sessions Created by FileName

### Defender For Endpoint
```
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath
```
### Sentinel
```
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath
```

#### Versions
| Version | Comment |
| ---  | --- |
| 1.0 | Initial commit |
| 1.1 | Timespan update |

Explanation

This query calculates the total number of SMB sessions created by each file name within a specified time frame. It filters out specific file names and summarizes the count of unique remote IP addresses by the initiating process file name and folder path. The query can be used in both Defender for Endpoint and Sentinel.

Details

Bert-Jan Pals

Released: April 17, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

wheresummarizedcount<>

KQL Search

SMB Sessions By File Name

Query

Explanation

Details

Actions