共用方式為


NetworkSessions 數據表的查詢

如需在 Azure 入口網站 中使用這些查詢的詳細資訊,請參閱Log Analytics教學課程。 如需 REST API,請參閱 查詢

取得非標準埠的流量

此查詢會識別透過多個埠傳送連線要求的來源IP位址。 這可能表示對手嘗試列出可用的服務。 參考:MITRE 網路服務掃描 (T1046)

// This query identifies source IP addresses sending connection requests over multiple ports.
// This could be an indication of adversary attempts to list available services.
// References: MITRE Network Service Scanning (T1046)
let threshold=5;
// Used to filter commonly used ports in your org
let commonPorts=dynamic([443, 53, 389, 80, 0, 880, 8888, 8080]);
NetworkSessions
 | where isnotempty(DstPortNumber) and not(ipv4_is_private(DstIpAddr) ) 
 // filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port
 | where DstPortNumber !between (toint(49512) .. toint(65535)) 
     and DstPortNumber !in (commonPorts)
 | where EventResult == "Failure" 
 | summarize PortCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 2m)
 | where PortCount > threshold

大量流量到不常見的網域

此查詢會識別接收不常見數據磁碟區的網域。 這可能表明對手試圖竊取和外泄數據。

// This query identifies domains receiving uncommon about of data volume.
// This could be an indication of adversary attempts to steal and exfiltrate data.
let isInternal = (url_hostname:string){url_hostname endswith ".local" or url_hostname endswith ".lan" or url_hostname endswith ".home"};
    // used to exclude internal traffic
let top1M =  (externaldata (Position:int, Domain:string) [@"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip"]  with (format="csv", zipPattern="*.csv"));
    // fetch the alexa top 1M domains
let top2ndLevelDomain=top1M
    | extend Domain = tolower(extract("([^.]*).{0,7}$", 1, Domain)) 
    | distinct Domain;
let rareDomainTraffic = NetworkSessions
    | where isnotempty(UrlHostname) and not(isInternal(UrlHostname))
    | extend SndLevelDomain=tolower(extract("([^.]*).{0,7}$", 1, UrlHostname))
    | where SndLevelDomain !in (top2ndLevelDomain)
    | summarize BytesSent=sum(SrcBytes) by SndLevelDomain, UrlHostname;
rareDomainTraffic | summarize TotalBytes=sum(BytesSent) by SndLevelDomain
| join kind=innerunique
    rareDomainTraffic
        on SndLevelDomain
| sort by TotalBytes desc