cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml
28lines · modecode
6 years ago
| 1 | Id: 73fb9b8d-fd13-4c43-8136-6d693cafaa23 |
| 2 | DisplayName: Hosts receiving the most amount of data from this IP |
| 3 | Description: Hosts receiving the most amount of data from this IP during the range of -1d and +1d |
| 4 | InputEntityType: Ip |
| 5 | InputFields: |
| 6 | - Address |
| 7 | OutputEntityTypes: |
| 8 | - Host |
| 9 | QueryPeriodBefore: 1d |
| 10 | QueryPeriodAfter: 1d |
| 11 | DataSources: |
| 12 | - WireData |
| 13 | Tactics: |
| 14 | - Exfiltration |
| 15 | - CommandAndControl |
| 16 | - Collection |
| 17 | query: | |
| 18 | |
| 19 | let HostsReceivingDatafromIP = (v_IP_Address:string){ |
| 20 | WireData |
| 21 | | parse Computer with HostName '.' Host_DnsDomain |
| 22 | | where SessionState == 'Disconnected' |
| 23 | | where RemoteIP =~ v_IP_Address |
| 24 | | extend Host_HostName = iff(Computer has '.', HostName, Computer) |
| 25 | | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), make_set(LocalIP) by Host_HostName, Host_DnsDomain |
| 26 | | top 10 by Host_Aux_BytesReceived desc nulls last |
| 27 | }; |
| 28 | HostsReceivingDatafromIP('<Address>') |