Query Details
Users I Ps Ports
Query
//Shows users, IPs, and ports used let timeframe = 7d; //Setting the time frame variable to look at 7 days of data SecurityEvent //the table | where TimeGenerated >= ago(timeframe) //applying the timeframe variable | where isnotempty(SubjectUserName) //making sure we return actual data, not blank fields | where SubjectUserName != "-" and IpAddress != "-" and IpPort != "-" //eliminating the dash character from results | where isnotempty(IpAddress) //making sure we return actual data, not blank fields | where isnotempty(IpPort) //making sure we return actual data, not blank fields | distinct SubjectUserName, IpAddress, IpPort //showing distinct records
Explanation
This query retrieves information about users, IP addresses, and ports used. It filters the data to only include records from the past 7 days and eliminates any blank fields. It also removes records with dash characters (-) in the SubjectUserName, IpAddress, and IpPort fields. Finally, it displays distinct records for SubjectUserName, IpAddress, and IpPort.
Details
Rod Trent
Released: February 1, 2022
Tables
SecurityEvent
Keywords
Users,IPs,Ports
Operators
whereisnotempty!=distinct