NetworkSessions 表的查询
有关在 Azure 门户中使用这些查询的信息,请参阅 Log Analytics 教程。 有关 REST API,请参阅查询。
将流量传输到非标准端口
此查询标识通过多个端口发送连接请求的源 IP 地址。 这可能表明攻击者试图列出可用的服务。 参考:MITRE 网络服务扫描 (T1046)
// This query identifies source IP addresses sending connection requests over multiple ports.
// This could be an indication of adversary attempts to list available services.
// References: MITRE Network Service Scanning (T1046)
let threshold=5;
// Used to filter commonly used ports in your org
let commonPorts=dynamic([443, 53, 389, 80, 0, 880, 8888, 8080]);
NetworkSessions
| where isnotempty(DstPortNumber) and not(ipv4_is_private(DstIpAddr) )
// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port
| where DstPortNumber !between (toint(49512) .. toint(65535))
and DstPortNumber !in (commonPorts)
| where EventResult == "Failure"
| summarize PortCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 2m)
| where PortCount > threshold
到不常见域的高容量流量
此查询标识接收异常数据量的域。 这可能表明攻击者试图窃取和泄露数据。
// This query identifies domains receiving uncommon about of data volume.
// This could be an indication of adversary attempts to steal and exfiltrate data.
let isInternal = (url_hostname:string){url_hostname endswith ".local" or url_hostname endswith ".lan" or url_hostname endswith ".home"};
// used to exclude internal traffic
let top1M = (externaldata (Position:int, Domain:string) [@"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip"] with (format="csv", zipPattern="*.csv"));
// fetch the alexa top 1M domains
let top2ndLevelDomain=top1M
| extend Domain = tolower(extract("([^.]*).{0,7}$", 1, Domain))
| distinct Domain;
let rareDomainTraffic = NetworkSessions
| where isnotempty(UrlHostname) and not(isInternal(UrlHostname))
| extend SndLevelDomain=tolower(extract("([^.]*).{0,7}$", 1, UrlHostname))
| where SndLevelDomain !in (top2ndLevelDomain)
| summarize BytesSent=sum(SrcBytes) by SndLevelDomain, UrlHostname;
rareDomainTraffic | summarize TotalBytes=sum(BytesSent) by SndLevelDomain
| join kind=innerunique
rareDomainTraffic
on SndLevelDomain
| sort by TotalBytes desc