Checking new outgoing traffic can be aggregated from the querying Capsule8's connection events. The query will return new outbound host connections that have been seen in the last 24 hours.
Required Tables
- connections
Returned Fields
|
dst_addr |
The address that was accessed |
|
occurrences |
How many times |
|
dt |
The average access datetime |
Query
SELECT dst_addr,
COUNT(1) as occurrences,
FROM_UNIXTIME(AVG(unix_nano_timestamp)/1e9) as dt
FROM connections b
WHERE (
SELECT COUNT(1)
FROM connections a
WHERE a.dst_addr = b.dst_addr and a.unix_nano_timestamp < TO_UNIXTIME(NOW()) * 1e9 - 60*60*24*1e9) = 0
GROUP BY dst_addr
Comments
0 comments
Please sign in to leave a comment.