Forum Discussion

Ciyaresh91's avatar
Ciyaresh91
Copper Contributor
Dec 21, 2023

How do you investigate network anomaly related alerts?

Hello everyone.   Using some of the built-in analytical rules such as "Anomaly was observed with IPv6-ICMP Traffic", when you go into the incident event details, its just some numbers of the expect...
analytics
jAuquilae's avatar
jAuquilae
Occasional Reader
Feb 04, 2026

I have analyzed incidents related to: Anomaly found in Network Session Traffic (ASIM Network Session schema)

 

It's a UEBA/Anomaly Rule. Does not generate events, therefore no event is included in the incident.

- Calculates baseline vs. deviation

- Result is an assessment

- Uses multiple log sources

 

You can analyse the Incident with the ASIM Parser _Im_NetworkSession.

 

Overall overview: Protocol trend over 14 days (TCP, UDP)

let min_t = ago(14d);

let max_t = now();

_Im_NetworkSession(starttime=min_t, endtime=max_t)

| summarize Count=count() by NetworkProtocol, bin(TimeGenerated, 1d)

| order by TimeGenerated asc

 

origin of the connections

let min_t = ago(14d);

let max_t = now();

_Im_NetworkSession(starttime=min_t, endtime=max_t)

| where NetworkProtocol == "UDP"

| summarize Count=count() by SrcIpAddr, NetworkDirection, bin(TimeGenerated, 1d)

//| order by Count desc

| order by TimeGenerated asc

 

Ports & Apps

let min_t = ago(14d);

let max_t = now();

_Im_NetworkSession(starttime=min_t, endtime=max_t)

| where NetworkProtocol == "UDP"

| summarize Count=count() by SrcIpAddr, DstPortNumber, DstAppName, bin(TimeGenerated, 1d)

| order by TimeGenerated asc

 

UDP connections for an IP + app during the day:

let incident_day_start = datetime(2026-xx-xxT00:00:00Z); // changeme

let incident_day_end = datetime(2026-xx-xxT23:59:59Z); // changeme

let target_src_ip = "<IP>"; // changeme

let target_app = "<APP>"; // changeme

_Im_NetworkSession(starttime=incident_day_start, endtime=incident_day_end)

| where NetworkProtocol == "UDP"

| where SrcIpAddr == target_src_ip

| where DstAppName == target_app

//| summarize TotalCount = count() by SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber

//| order by TotalCount desc

| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, NetworkDirection, NetworkProtocol

 

If you need more columns, you can display the available fields with:

_Im_NetworkSession(starttime=ago(1d), endtime=now())

| getschema

OR

_Im_NetworkSession(starttime=ago(7d), endtime=now())

| where DvcId == "<YOUR_DvcId>"

| getschema

Resources