Volver al hub

Rare Remote Ports in Network Connections

The query analyzes IPv4 network connection events, counts occurrences per remote port, calculates their percentage of total connections, and lists only ports representing less than 10% of the traffic.

EDRhunting
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read

Query

#event_simpleName=NetworkConnectIP4
| groupBy([RemotePort], function=count(as=count), limit=max) 
| [sum(count, as=total), sort(field=RemotePort, order=ascending, limit=20000)] 
| percent := 100 * (count / total) 
| drop([total]) 
| percent < 10

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.