A Windows desktop has been infected by ransomware, and you need to identify the IP address of the infected machine as part of your investigation.
- Run the following search.You can optimize it by specifying an index and adjusting the time range.
- In the field sections on the left, find and click sourcetype.
- Click the value with the highest count to add it to the search.
- In the field sections on the left, find and click src_ip.
This search returns the IP address most likely associated with the host name of the infected machine.
Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.