Forum Discussion

Ciyaresh91's avatar
Ciyaresh91
Copper Contributor
Dec 21, 2023

How do you investigate network anomaly related alerts?

Hello everyone.

 

Using some of the built-in analytical rules such as "Anomaly was observed with IPv6-ICMP Traffic", when you go into the incident event details, its just some numbers of the expected baseline vs actual value. What do you do with this? 

 

Similar case with following rules: 

 

Anomaly found in Network Session Traffic (ASIM Network Session schema)

Anomaly was observed with ESP Traffic

Anomaly was observed with Outbound Traffic

Anomaly was observed with Unassigned Traffic

analytics

3 Replies

  • jAuquilae's avatar
    jAuquilae
    Occasional Reader
    Feb 04, 2026

    I have analyzed incidents related to: Anomaly found in Network Session Traffic (ASIM Network Session schema)

     

    It's a UEBA/Anomaly Rule. Does not generate events, therefore no event is included in the incident.

    - Calculates baseline vs. deviation

    - Result is an assessment

    - Uses multiple log sources

     

    You can analyse the Incident with the ASIM Parser _Im_NetworkSession.

     

    Overall overview: Protocol trend over 14 days (TCP, UDP)

    let min_t = ago(14d);

    let max_t = now();

    _Im_NetworkSession(starttime=min_t, endtime=max_t)

    | summarize Count=count() by NetworkProtocol, bin(TimeGenerated, 1d)

    | order by TimeGenerated asc

     

    origin of the connections

    let min_t = ago(14d);

    let max_t = now();

    _Im_NetworkSession(starttime=min_t, endtime=max_t)

    | where NetworkProtocol == "UDP"

    | summarize Count=count() by SrcIpAddr, NetworkDirection, bin(TimeGenerated, 1d)

    //| order by Count desc

    | order by TimeGenerated asc

     

    Ports & Apps

    let min_t = ago(14d);

    let max_t = now();

    _Im_NetworkSession(starttime=min_t, endtime=max_t)

    | where NetworkProtocol == "UDP"

    | summarize Count=count() by SrcIpAddr, DstPortNumber, DstAppName, bin(TimeGenerated, 1d)

    | order by TimeGenerated asc

     

    UDP connections for an IP + app during the day:

    let incident_day_start = datetime(2026-xx-xxT00:00:00Z); // changeme

    let incident_day_end = datetime(2026-xx-xxT23:59:59Z); // changeme

    let target_src_ip = "<IP>"; // changeme

    let target_app = "<APP>"; // changeme

    _Im_NetworkSession(starttime=incident_day_start, endtime=incident_day_end)

    | where NetworkProtocol == "UDP"

    | where SrcIpAddr == target_src_ip

    | where DstAppName == target_app

    //| summarize TotalCount = count() by SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber

    //| order by TotalCount desc

    | project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, NetworkDirection, NetworkProtocol

     

    If you need more columns, you can display the available fields with:

    _Im_NetworkSession(starttime=ago(1d), endtime=now())

    | getschema

    OR

    _Im_NetworkSession(starttime=ago(7d), endtime=now())

    | where DvcId == "<YOUR_DvcId>"

    | getschema

  • Shonen's avatar
    Shonen
    Copper Contributor
    Feb 06, 2025

    Hi,

    I have the same question. Do you get some info about it?

Resources