SPL
Sysmon - Outbound Connections by Process
Description
0 0
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 Protocol=tcp Initiated=true | eval src=if(isnotnull(SourceHostname), SourceHostname+":"+SourcePort, SourceIp+":"+SourcePort) | eval dest=if(isnotnull(DestinationHostname), DestinationHostname+":"+DestinationPort, DestinationIp+":"+DestinationPort) | eval src_dest=src+ " => " + dest | stats values(src_dest) as Connection by ProcessGuid ProcessId User Computer Image
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.