I am currently working on a creating a Modern Dashboard widget to show the top conversations for the last hour but the start/end times are longer than one hour. I am also trying to see if there is a way to get the hostnames to resolve to the endpoints name if possible. What I have so far is
SELECT TOP 5
MIN(TimeStamp) AS StartTime,
MAX(TimeStamp) AS EndTime,
SourceIP as A_IP,
SourceHostname as A_Hostname,
DestinationIP as B_IP,
DestinationHostname as B_Hostname,
ROUND(SUM(Bytes) / 1024.0 / 1024.0 / 1024.0, 2) As BytesGB, -- Convert Bytes to Gigabytes
ROUND(SUM(IngressBytes) / 1024.0 / 1024.0 / 1024.0, 2) as IngressBytesGB, -- Convert IngressBytes to Gigabytes
ROUND(SUM(EgressBytes) / 1024.0 / 1024.0 / 1024.0, 2) as EgressBytesGB, -- Convert EgressBytes to Gigabytes
SUM(IngressPackets) as IngressPackets,
SUM(EgressPackets) as EgressPackets,
SUM(Packets) as Packets
FROM Orion.Netflow.FlowsByConversation
WHERE Timestamp >= ADDHOUR(-1, GETDATE())
GROUP BY SourceIP, DestinationIP, SourceHostname, DestinationHostname
ORDER BY SUM(Bytes) DESC
