Hi,
You can probably use this, please see below:
Correlation Alert Rule Query:
config case_sensitive = false
| preset = network_story
| filter action_remote_port < 1025 //You can increase this number according to your needs but port range till 1025 will be good enough.
| fields agent_hostname as Hostname, action_local_ip as SRC_IP, action_remote_ip as DST_IP, action_remote_port as DST_Port
| comp count_distinct(DST_Port) as Counter by Hostname, SRC_IP, DST_IP
| filter Counter > 25 //Adjust the counter value according to your needs.
For alert drill down, please use below:
config case_sensitive = false
| dataset = xdr_data
| filter action_local_ip = $SRC_IP and action_remote_ip = $DST_IP
| fields agent_hostname as Hostname, action_local_ip, action_remote_ip, action_remote_port, actor_process_image_name, actor_process_command_line, actor_effective_username, actor_process_image_path
Please let us know the outcome.
... View more