Skip to content

Files

Latest commit

3c7dd1a · Dec 1, 2024

History

History
38 lines (34 loc) · 1.25 KB

DevicesWithTheMostSMBSessions.md

File metadata and controls

38 lines (34 loc) · 1.25 KB

Devices with the most SMB connections

Query Information

Description

List all devices with the amount of SMB sessions they have.

Defender XDR

let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
     DeviceNetworkEvents
     | where LocalPort == 88
     | where LocalIPType == "FourToSixMapping"
     | summarize make_set(DeviceId);
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // THis is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections

Sentinel

let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
     DeviceNetworkEvents
     | where LocalPort == 88
     | where LocalIPType == "FourToSixMapping"
     | summarize make_set(DeviceId);
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // This is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections