Query Details
Wmi2
Query
DeviceNetworkEvents | where Timestamp > ago(24h) | where RemotePort == "135" | where ActionType == "ConnectionSuccess" | where Protocol == "Tcp" | where InitiatingProcessAccountName != @"system" | where InitiatingProcessAccountName != @"network service" | where InitiatingProcessAccountName !contains "$" | summarize count() by InitiatingProcessAccountName, InitiatingProcessFileName | sort by count_ desc
Explanation
This query is looking at a dataset called DeviceNetworkEvents. It filters the data to only include events that occurred within the last 24 hours, where the remote port is 135, the action type is a successful connection, the protocol is TCP, and the initiating process account name is not "system", "network service", or contains a "$". It then summarizes the count of events for each unique combination of initiating process account name and process file name, and sorts the results in descending order based on the count.
Details
Daniel Card
Released: September 4, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,Timestamp,RemotePort,ActionType,Protocol,InitiatingProcessAccountName,InitiatingProcessFileName
Operators
|>ago()========!=!=!containssummarizecount()bysort by