Query Details
Wmi1
Query
DeviceNetworkEvents | where Timestamp > ago(24h) | where RemotePort == "135" | where ActionType == "ConnectionSuccess" | where Protocol == "Tcp" | where InitiatingProcessAccountName != @"system" | where InitiatingProcessAccountName != @"network service" | where InitiatingProcessAccountName !contains "$" | summarize count() by InitiatingProcessAccountName | sort by count_ desc
Explanation
This query is looking at a dataset called DeviceNetworkEvents. It filters the events to only include those that occurred within the last 24 hours, had a remote port of 135, a successful connection action, and used the TCP protocol. It then excludes events where the initiating process account name is "system", "network service", or contains a dollar sign. The query then summarizes the count of events for each unique initiating process account name and sorts the results in descending order of the count.
Details
Daniel Card
Released: September 4, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,Timestamp,RemotePort,ActionType,Protocol,InitiatingProcessAccountName,System,NetworkService
Operators
where>ago==!=containssummarizecount()bysort by