Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endpoint.Ports includes extraneous events #9

Open
SkyeLowry opened this issue Feb 12, 2022 · 4 comments
Open

Endpoint.Ports includes extraneous events #9

SkyeLowry opened this issue Feb 12, 2022 · 4 comments

Comments

@SkyeLowry
Copy link

The events from body.category="AdvancedHunting-DeviceNetworkEvents" includes all events, though body.properties.ActionType has values:

ConnectionSuccess
NetworkSignatureInspected
ListeningConnectionCreated
ConnectionFailed
InboundConnectionAccepted
ConnectionFound
ConnectionRequest
ConnectionAcknowledged
ConnectionAttempt

I am not certain which events should be included, though I do see "NetworkSignatureInspected" results in CIM events that don't seem to relate to the uses of the data model.

The problems this is creating shows up in this example:
The report [Endpoint - Listening Ports Tracker - Lookup Gen] from SA-EndpointProtection then adds those events to the listeningports_tracker lookup but those events are not listening ports, and result in entries with transport=null in the output.

Also, state=listening makes sense for an ActionType of ListeningConnectionCreated. I think when ActionType=ConnectionSuccess|InboundConnectionAccepted the state should be established. (I don't know what other field values are possible.

I think process_id could map to body.properties.InitiatingProcessId, process_guid could have a match, though I am not sure which value.
@inspired
Copy link
Collaborator

Hi Skye,

do you by any chance have an anonymized data sample you could share so I can look into this?

@SkyeLowry
Copy link
Author

I will create one. I will try to get a sample of each of the body.properties.ActionType values.

@GArayaR
Copy link

GArayaR commented Mar 31, 2022

//Identifies potential DNS tunnelling over HTTPS
//Microsoft Sentinel query
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend AF = parse_json(AdditionalFields)
| extend NetworkSignature = AF.SignatureName
//Search for network signatures that are DNS but not on regular DNS ports including Netbios & LLMNR if those are in use
| where NetworkSignature == "DNS_Request" and RemotePort !in ("53", "137", "5353", "5355")
//Exclude traffic where the remote IP is a private/local IP address, you can remove this if also interested in that traffic
| where not(ipv4_is_private(RemoteIP))
| project
TimeGenerated,
DeviceName,
NetworkSignature,
LocalIP,
LocalPort,
RemoteIP,
RemotePort,
RemoteUrl

//Advanced Hunting query
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend AF = parse_json(AdditionalFields)
| extend NetworkSignature = AF.SignatureName
//Search for network signatures that are DNS but not on regular DNS ports including Netbios & LLMNR if those are in use
| where NetworkSignature == "DNS_Request" and RemotePort !in ("53", "137", "5353", "5355")
//Exclude traffic where the remote IP is a private/local IP address, you can remove this if also interested in that traffic
| where not(ipv4_is_private(RemoteIP))
| project
Timestamp,
DeviceName,
NetworkSignature,
LocalIP,
LocalPort,
RemoteIP,
RemotePort,
RemoteUrl

@inspired
Copy link
Collaborator

@SkyeLowry I'm doing some cleanup and want to get this fixed. Do you have the samples?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@inspired @GArayaR @SkyeLowry