detection.wiki

Detection rules › Kusto Query Language

Google Threat Intelligence - Threat Hunting IP

Source
upstream

'Google Threat Intelligence IP correlation.'

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1071 Application Layer Protocol

Event coverage

ProviderEvent IDTitle
Sysmon3Network connection
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
Security-Auditing5158The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing5159The Windows Filtering Platform has blocked a bind to a local port.

Stages and Predicates

Stage 1: source

_Im_NetworkSession

Stage 2: where

DstIpAddr is_not_null

Stage 3: join

Stage 4: project