NetworkSessions 表的查询

有关在 Azure 门户中使用这些查询的信息,请参阅 Log Analytics 教程。 有关 REST API,请参阅查询

将流量传输到非标准端口

此查询标识通过多个端口发送连接请求的源 IP 地址。 这可能表明攻击者试图列出可用的服务。 参考:MITRE 网络服务扫描 (T1046)

// This query identifies source IP addresses sending connection requests over multiple ports.
// This could be an indication of adversary attempts to list available services.
// References: MITRE Network Service Scanning (T1046)
let threshold=5;
// Used to filter commonly used ports in your org
let commonPorts=dynamic([443, 53, 389, 80, 0, 880, 8888, 8080]);
NetworkSessions
 | where isnotempty(DstPortNumber) and not(ipv4_is_private(DstIpAddr) ) 
 // filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port
 | where DstPortNumber !between (toint(49512) .. toint(65535)) 
     and DstPortNumber !in (commonPorts)
 | where EventResult == "Failure" 
 | summarize PortCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 2m)
 | where PortCount > threshold

到不常见域的高容量流量

此查询标识接收异常数据量的域。 这可能表明攻击者试图窃取和泄露数据。

// This query identifies domains receiving uncommon about of data volume.
// This could be an indication of adversary attempts to steal and exfiltrate data.
let isInternal = (url_hostname:string){url_hostname endswith ".local" or url_hostname endswith ".lan" or url_hostname endswith ".home"};
    // used to exclude internal traffic
let top1M =  (externaldata (Position:int, Domain:string) [@"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip"]  with (format="csv", zipPattern="*.csv"));
    // fetch the alexa top 1M domains
let top2ndLevelDomain=top1M
    | extend Domain = tolower(extract("([^.]*).{0,7}$", 1, Domain)) 
    | distinct Domain;
let rareDomainTraffic = NetworkSessions
    | where isnotempty(UrlHostname) and not(isInternal(UrlHostname))
    | extend SndLevelDomain=tolower(extract("([^.]*).{0,7}$", 1, UrlHostname))
    | where SndLevelDomain !in (top2ndLevelDomain)
    | summarize BytesSent=sum(SrcBytes) by SndLevelDomain, UrlHostname;
rareDomainTraffic | summarize TotalBytes=sum(BytesSent) by SndLevelDomain
| join kind=innerunique
    rareDomainTraffic
        on SndLevelDomain
| sort by TotalBytes desc