Forum Discussion
Threats > August 2019 RDP update advisory > Hunting Query
Hi! In the "August 2019 RDP update advisory" threat page, there is a hunting query: // Find unusual processes with outbound connections to TCP port 3389
NetworkCommunicationEvents
| where...
Hi Maximilian Grandahl Lærum ,
Replace the summarize row with instead (and remove the rest).
| project EventTime,ComputerName,MachineId,RemoteIP,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessSHA1,ReportIdThe makeset function is grouping result and by changing you will get per machine instead.
Another solution would be to append the last original line with
,ReportId, MachineIdbut I would go for the first oneHappy Hunting
Hi Maximilian Grandahl Lærum ,
Replace the summarize row with instead (and remove the rest).
| project EventTime,ComputerName,MachineId,RemoteIP,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessSHA1,ReportId
The makeset function is grouping result and by changing you will get per machine instead.
Another solution would be to append the last original line with
,ReportId, MachineId
but I would go for the first one
Happy Hunting
Thanks!