Question Analysis

DeviceProcessEvents | where ProcessCommandLine contains "metrics" and ProcessCommandLine contains "tcp" | where not(ProcessCommandLine contains "lo") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine

let linux_devices = DeviceInfo | where OSPlatform =~ "Linux" | summarize arg_max(TimeGenerated, *) by DeviceId | project DeviceId; let tcp_metric_cmds = DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (linux_devices) on DeviceId | where tolower(ProcessCommandLine) has "tcp_metrics" or tolower(ProcessCommandLine) has "tcpmetrics" | project DeviceId, DeviceName, TimeGenerated, Pid=ProcessId, ParentPid=InitiatingProcessId, SessionId=CreatedProcessSessionId, UtilityFileName=tolower(FileName), Cmd=ProcessCommandLine; let loopback_filter_cmds = DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (linux_devices) on DeviceId | where tolower(FileName) in~ ("grep","egrep","fgrep","awk","sed") | where ProcessCommandLine matches regex @"(?i)(-v\s+(lo|127\.0\.0\.1)|!/(lo|127\.0\.0\.1)/|/(lo|127\.0\.0\.1)/d)" | project DeviceId, TimeGenerated, FilterPid=ProcessId, FilterParentPid=InitiatingProcessId, FilterSessionId=CreatedProcessSessionId, FilterProc=tolower(FileName), FilterCmd=ProcessCommandLine; let correlated = tcp_metric_cmds | join kind=innerunique (loopback_filter_cmds) on DeviceId | where (ParentPid == FilterParentPid or SessionId == FilterSessionId) and abs(tolong((TimeGenerated - TimeGenerated1)/1s)) <= 120s/1s | project UtilityUsed=UtilityFileName, Cmd, Correlation="WithLoopbackFilter"; let candidates = tcp_metric_cmds | project UtilityUsed=UtilityFileName, Cmd, Correlation="NoFilterObserved"; union correlated, candidates | summarize EventCount=count(), ExampleCommand=any(Cmd) by UtilityUsed, Correlation | order by Correlation asc, EventCount desc

let Keywords = dynamic(["tcp","metric","metrics","cache","mcache","route","-i","-s","-I","--metrics","ss -i","ss -I","ip route","ip -s","netstat -s","netstat -i"]); let CommandFilters = (cmd:string){ cmd =~ cmd }; union isfuzzy=true DeviceProcessEvents ,DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine) | extend Cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ProcessCommandLine) | where Cmd has_any ("ip","ss","netstat") // filter for keywords indicating TCP metric/cache/metrics | where Cmd has_any ("tcp", "metric", "metrics", "cache", "mcache", "route", "-i", "-s", "--metrics", "-I", "-i=") // exclude invocations that explicitly target loopback interfaces or 127.0.0.1 | where not(Cmd has " lo" or Cmd has " lo:" or Cmd has "\"lo\"" or Cmd has "127.0.0.1" or Cmd has "::1") | extend Utility = extract(@"(^|\s)([^/\s]+)(?:$|\s)", 2, Cmd) | extend Utility = iif(isempty(Utility), file_name_simplified=tolower(tostring(split(Cmd, ' ')[0])), tolower(Utility)) | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, ProcessId, Cmd, Utility, InitiatingProcessFileName, FileName, ActionType | summarize count(), SampleCmds = make_set(Cmd, 10) by Utility, DeviceName, DeviceId | order by count_ desc | limit 50

let keywords = dynamic(["ss","netstat","ip route","ip -s","ip -s -s","ip neigh","ip route show cache","route -n","tc","tc -s"]); let proc = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId = DeviceId, ProcessCommandLine, FileName = FileName, ProcessId, AccountName, AccountDomain = AccountDomain; let dev = DeviceEvents | where isnotempty(InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId = DeviceId, ProcessCommandLine = InitiatingProcessCommandLine, FileName = iff(isnotempty(FileName), FileName, InitiatingProcessFileName), ProcessId = InitiatingProcessId, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain; proc | union dev | extend cmdLower = tolower(tostring(ProcessCommandLine)) // match utilities or mentions of metrics/cache/tcp | where cmdLower has_any (keywords) or cmdLower contains "metric" or cmdLower contains "cache" or cmdLower contains "tcp" or cmdLower contains "tcpmss" or cmdLower contains "mss" or cmdLower matches regex @"route.*cache" // exclude loopback interfaces and localhost addresses | where not(cmdLower contains "127.0.0.1" or cmdLower contains "::1" or cmdLower matches regex @"\b(lo|loopback)\b") // extract likely utility name | extend Utility = extract(@"(?i)\b(ss|netstat|ip|route|tc)\b", 1, cmdLower) | summarize Count = count(), SampleCommands = make_set(ProcessCommandLine, 10), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Utility, DeviceName, DeviceId | where isnotempty(Utility) | order by Count desc, LastSeen desc | project Utility, DeviceName, DeviceId, Count, FirstSeen, LastSeen, SampleCommands

DeviceProcessEvents | where TimeGenerated >= ago(7d) | where InitiatingProcessCommandLine has_any ("tcp","netstat","ss","tcp_metric","tcp-metrics","gettcpmetrics","metrics","cache") | where not (InitiatingProcessCommandLine contains "127.0.0.1" or InitiatingProcessCommandLine contains "localhost" or InitiatingProcessCommandLine contains "lo") | extend Utility = strcat(InitiatingProcessFileName, ": ", InitiatingProcessCommandLine) | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Hits = count() by InitiatingProcessFileName, InitiatingProcessCommandLine, Utility | sort by Hits desc | project FirstSeen, LastSeen, Hits, InitiatingProcessFileName, InitiatingProcessCommandLine, Utility

DeviceProcessEvents | where ProcessCommandLine has "ss" or ProcessCommandLine has "netstat" or ProcessCommandLine contains "tcp" | join kind=leftanti ( DeviceNetworkEvents | where LocalIP == "127.0.0.1" ) on DeviceId, InitiatingProcessId | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, DeviceId | summarize count() by InitiatingProcessFileName, DeviceName, ProcessCommandLine | order by count_ desc

DeviceProcessEvents | where ProcessCommandLine contains "ss" and ProcessCommandLine contains "tcp" and not (ProcessCommandLine contains "lo") | summarize utilities = make_set(FileName) | project utilities

DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform == "Linux" ) on DeviceId | where ProcessCommandLine has_any ("tcp", "cache") | where not(ProcessCommandLine has_any ("lo", "loopback")) | summarize Commands = makeset(ProcessCommandLine), Count=count() by FileName, DeviceName, bin(TimeGenerated, 1d) | order by Count desc

DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId ) on DeviceId | where ProcessCommandLine has_all ("ip", "tcp_metrics", "show") | where not(ProcessCommandLine has "lo") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine | order by TimeGenerated desc

let LinuxDevices = DeviceInfo | where tolower(OSPlatform) contains "linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) // Filter for any tcp_metrics invocation and ProcessCommandLine has "tcp_metrics" // Exclude loopback traffic entries and ProcessCommandLine !has " lo" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | summarize Invocations = count() by FileName, ProcessCommandLine | sort by Invocations desc

DeviceProcessEvents // Look for TCP metric cache listing commands (ss -M/--metrics or ip tcp_metrics) | where (ProcessCommandLine has "ss" and (ProcessCommandLine has "-M" or ProcessCommandLine has "--metrics")) or (ProcessCommandLine has "ip" and ProcessCommandLine has "tcp_metrics") // Exclude any references to the loopback interface | where ProcessCommandLine !contains " lo" and ProcessCommandLine !contains "dev lo" // Extract the invoked utility name from the full path | extend UtilityPath = tostring(split(ProcessCommandLine, ' ')[0]) | extend Utility = tostring(split(UtilityPath, '/')[array_length(split(UtilityPath, '/')) - 1]) // Count invocations per utility and sort by highest usage | summarize InvocationCount = count() by Utility | order by InvocationCount desc