Open SkyeLowry opened 2 years ago
Hi Skye,
do you by any chance have an anonymized data sample you could share so I can look into this?
I will create one. I will try to get a sample of each of the body.properties.ActionType values.
//Identifies potential DNS tunnelling over HTTPS //Microsoft Sentinel query DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected" | extend AF = parse_json(AdditionalFields) | extend NetworkSignature = AF.SignatureName //Search for network signatures that are DNS but not on regular DNS ports including Netbios & LLMNR if those are in use | where NetworkSignature == "DNS_Request" and RemotePort !in ("53", "137", "5353", "5355") //Exclude traffic where the remote IP is a private/local IP address, you can remove this if also interested in that traffic | where not(ipv4_is_private(RemoteIP)) | project TimeGenerated, DeviceName, NetworkSignature, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl
//Advanced Hunting query DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected" | extend AF = parse_json(AdditionalFields) | extend NetworkSignature = AF.SignatureName //Search for network signatures that are DNS but not on regular DNS ports including Netbios & LLMNR if those are in use | where NetworkSignature == "DNS_Request" and RemotePort !in ("53", "137", "5353", "5355") //Exclude traffic where the remote IP is a private/local IP address, you can remove this if also interested in that traffic | where not(ipv4_is_private(RemoteIP)) | project Timestamp, DeviceName, NetworkSignature, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl
@SkyeLowry I'm doing some cleanup and want to get this fixed. Do you have the samples?
The events from body.category="AdvancedHunting-DeviceNetworkEvents" includes all events, though body.properties.ActionType has values:
ConnectionSuccess NetworkSignatureInspected ListeningConnectionCreated ConnectionFailed InboundConnectionAccepted ConnectionFound ConnectionRequest ConnectionAcknowledged ConnectionAttempt
I am not certain which events should be included, though I do see "NetworkSignatureInspected" results in CIM events that don't seem to relate to the uses of the data model.
The problems this is creating shows up in this example: The report [Endpoint - Listening Ports Tracker - Lookup Gen] from SA-EndpointProtection then adds those events to the listeningports_tracker lookup but those events are not listening ports, and result in entries with transport=null in the output.
Also, state=listening makes sense for an ActionType of ListeningConnectionCreated. I think when ActionType=ConnectionSuccess|InboundConnectionAccepted the state should be established. (I don't know what other field values are possible.
I think process_id could map to body.properties.InitiatingProcessId, process_guid could have a match, though I am not sure which value.