KQL Search

Query Details

SMB Sessions Generated By File

Query

# Total SMB Sessions Created by FileName

### Defender For Endpoint
```
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath
```
### Sentinel
```
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath
```

#### Versions
| Version | Comment |
| ---  | --- |
| 1.0 | Initial commit |
| 1.1 | Timespan update |

Explanation

The query calculates the total number of SMB sessions created by each file name within a specified time frame. It filters out specific process file names and folders and groups the results by the initiating process file name and folder path. The query can be used in both Defender for Endpoint and Sentinel.

Details

Bert-Jan Pals

Released: April 17, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

whereletsummarizebyago<>

KQL Search

SMB Sessions Generated By File

Query

Explanation

Details

Actions