Also - once we observed the half open connections via the netstat command we pushed a CSP policy out to the SEPM's that logged all connections to the SEPM port. Then I created a query to create a list of "problem" clients. When we were deep into the problem we found that some clients had thousands of connections to the SEPM in the three hour period we were reporting on.
If you plan to use this query - update the Policy with the name of the policy you decided to use. In my example I removed the policy name so below it says POLICY_NAME = 'redacted'
Select
Sum (event_cnt)as "Events",
max(value1) as "Process Set",
max(Process_name) as Process,
dbo.FmtEventType(Event_Category,'','') as "Event Type",
max(CASE event_type WHEN 'PNET' THEN CASE OPERATION
WHEN 'Accept' THEN CASE DISPOSITION WHEN 'D' THEN 'Inbound ' + target_info + ' Connect from ' ELSE 'Inbound ' + target_info + ' Connect from ' END + VALUE5 + ':' + VALUE6 + ' to local IP ' + VALUE4 + ':' + VALUE3 + REPLACE(' ('+ VALUE10 + ')','()','')
WHEN 'Connect' THEN CASE DISPOSITION WHEN 'D' THEN 'Outbound ' + target_info + ' Connect to ' ELSE 'Outbound ' + target_info + 'Connect to ' END + VALUE5 + ':' + VALUE6 + REPLACE(' ('+ VALUE10 + ')','()','') + ' from local IP ' + VALUE4 + ':' + VALUE3
ELSE 'Unknown network operation (' + COALESCE(OPERATION,'') + ')' END
ELSE dbo.getpathleaf(target_info) END) as "Resource"
From CSPEVENT_VW WITH (NOLOCK) WHERE EVENT_TYPE LIKE 'P%' AND event_dt > dateadd(hh,-3, getutcdate()) AND POLICY_NAME = 'redacted' AND Process_name = 'Smc.exe'
GROUP BY
SUBSTRING(PROCESS_NAME,1,50),SUBSTRING (dbo.getpathleaf(target_info),1,75),EVENT_CATEGORY,SUBSTRING(VALUE1,1,25),
OPERATION, VALUE2, DISPOSITION,EVENT_SEVERITY,
SUBSTRING (HOSTNAME,1,15),HOSTADDR,VALUE5,OSTYPE
Order by 1 DESC