Query Details

Total SMB Sessions Created by FileName

SMB Sessions By File Name

Query

let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath

About this query

Total SMB Sessions Created by FileName

Query Information

Description

Total SMB Sessions Created by FileName

Defender XDR

Sentinel

let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath

Explanation

This query is designed to analyze network events related to SMB (Server Message Block) sessions on a network. Here's a simplified explanation of what it does:

  1. Time Frame: The query looks at data from the last 24 hours, but this time frame can be adjusted to cover different periods (e.g., hours or days).

  2. Data Source: It examines events from DeviceNetworkEvents, which logs network activities on devices.

  3. Port Filtering: It specifically filters for events where the remote port is 445, which is commonly used for SMB communication.

  4. Exclusions: The query excludes events initiated by two specific processes: Microsoft.Tri.Sensor.exe and sensendr.exe. These are likely legitimate processes related to security tools (MDI Sensor and MDE Device Discovery), and excluding them helps focus on other potentially interesting activities.

  5. Counting Unique Connections: For each initiating process (excluding the two specified), it counts the number of unique remote IP addresses that have been connected to. This is done using the dcount(RemoteIP) function.

  6. Grouping: The results are grouped by the name of the initiating process and its folder path, providing insight into which processes are creating SMB sessions and from where they are being executed.

In summary, this query helps identify and count unique SMB sessions initiated by different processes on a network, excluding known security-related processes, to potentially spot unusual or unauthorized activities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemotePortInitiatingProcessFileNameIPFolderPath

Operators

letagowhere==<>summarizedcountby

Actions

GitHub