{"id":284,"date":"2024-12-04T10:28:18","date_gmt":"2024-12-04T09:28:18","guid":{"rendered":"https:\/\/cyber-resilience.mobi\/?p=284"},"modified":"2024-12-04T10:28:18","modified_gmt":"2024-12-04T09:28:18","slug":"analyse-les-evenements-de-securite-lies-au-partage-de-fichiers-sur-une-periode-de-14-jours-en-se-concentrant-sur-les-evenements-recents-derniere-heure-et-en-filtrant-les-adresses-ip-ayant-accede-a","status":"publish","type":"post","link":"https:\/\/cyber-resilience.mobi\/?p=284","title":{"rendered":"Analyse les \u00e9v\u00e9nements de s\u00e9curit\u00e9 li\u00e9s au partage de fichiers sur une p\u00e9riode de 14 jours, en se concentrant sur les \u00e9v\u00e9nements r\u00e9cents (derni\u00e8re heure) et en filtrant les adresses IP ayant acc\u00e9d\u00e9 \u00e0 plus de 5 chemins de partage distincts. Les r\u00e9sultats sont ensuite projet\u00e9s pour afficher les informations pertinentes."},"content":{"rendered":"\n<pre class=\"wp-block-code\"><code>let query_frequency = 1h;\nlet query_period = 14d;\nlet files_threshold = 5;\nSecurityEvent\n| where TimeGenerated > ago(query_period)\n| where EventID == 5140\n| summarize arg_min(TimeGenerated, *) by IpAddress, Account, Computer, ShareLocalPath\n| where TimeGenerated > ago(query_frequency)\n| summarize hint.strategy=shuffle\n    StartTime = min(TimeGenerated),\n    EndTime = max(TimeGenerated),\n    Accounts = array_sort_asc(make_set(Account, 50)),\n    Computers = array_sort_asc(make_set(Computer, 50)),\n    ShareLocalPaths = array_sort_asc(make_set_if(ShareLocalPath, isnotempty(ShareLocalPath), 50)),\n    ShareLocalPathCount = count_distinct(ShareLocalPath),\n    take_any(Activity)\n    by IpAddress\n| where ShareLocalPathCount > files_threshold\n| project\n    StartTime,\n    EndTime,\n    IpAddress,\n    Accounts,\n    Activity,\n    Computers,\n    ShareLocalPathCount,\n    ShareLocalPaths\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,20],"tags":[18,19,37,22,29,30],"class_list":["post-284","post","type-post","status-publish","format-standard","hentry","category-kql","category-kql-sentinel","tag-kql","tag-kusto","tag-securite","tag-sentinel","tag-siem","tag-xdr"],"_links":{"self":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=284"}],"version-history":[{"count":1,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/284\/revisions"}],"predecessor-version":[{"id":285,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/284\/revisions\/285"}],"wp:attachment":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}