This artifact is meant for monitoring network connections on clients. It periodically queries the existing network connections and emits lines for differences (new connections and missing/removed ones). Network connections are tracked and compared based on following elements: process id, layer 3 protocol, layer 4 protocol, local address used, local port used, remote address used, remote port used.
The network connection information is enriched with process information to make it easier to analyze emited lines.
name: Generic.Events.TrackNetworkConnections
author: Herbert Bärschneider @SEC Consult
description: |
This artifact is meant for monitoring network connections on clients.
It periodically queries the existing network connections and emits lines for differences (new connections and missing/removed ones).
Network connections are tracked and compared based on following elements: process id, layer 3 protocol, layer 4 protocol, local address used, local port used, remote address used, remote port used.
The network connection information is enriched with process information to make it easier to analyze emited lines.
type: CLIENT_EVENT
parameters:
- name: Period
default: 2
type: int
description: how many seconds the artifact waits between checking network connections for changes
sources:
- query: |
LET NetworkConnections = SELECT *, format(format="%v %v %v %v %v %v %v", args=[Pid, Family, Type, Laddr.IP, Laddr.Port, Raddr.IP, Raddr.Port]) AS DiffKey FROM netstat()
LET EventQuery = SELECT * FROM diff(query=NetworkConnections, period=Period, key="DiffKey")
SELECT *, process_tracker_get(id=Pid) AS ProcInfo FROM EventQuery