Sysmon – Outbound Connections by Process

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 Protocol=tcp Initiated=true | eval src=if(isnotnull(SourceHostname), SourceHostname+":"+SourcePort, SourceIp+":"+SourcePort) | eval
 dest=if(isnotnull(DestinationHostname), DestinationHostname+":"+DestinationPort, DestinationIp+":"+DestinationPort) | eval src_dest=src+ " => " + dest | stats values(src_dest) as Connection by ProcessGuid ProcessId User Computer Image
Share This:
Tagged:

Leave A Comment?