List the file extentions that have been used during a HTTP GET request
HTTP Downloads By File Extention
Query
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "HTTP_Client"
| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, " /", 0)[0])
| where HTTP_Request_Method == "GET"
| extend DownloadedContent = extract(@'.*/(.*)HTTP', 1, SignatureMatchedContent)
| extend DownloadContentFileExtention = extract(@'.*\.(.*)$', 1, DownloadedContent)
// limit DownloadContentFileExtention size to reduce false positives
| where isnotempty(DownloadContentFileExtention) and string_size(DownloadContentFileExtention) < 8
| summarize Total = count() by DownloadContentFileExtention
| sort by TotalAbout this query
List the file extentions that have been used during a HTTP GET request
Description
List the file extentions that have been used during a HTTP GET request
Defender XDR
Sentinel
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "HTTP_Client"
| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, " /", 0)[0])
| where HTTP_Request_Method == "GET"
| extend DownloadedContent = extract(@'.*/(.*)HTTP', 1, SignatureMatchedContent)
| extend DownloadContentFileExtention = extract(@'.*\.(.*)$', 1, DownloadedContent)
// limit DownloadContentFileExtention size to reduce false positives
| where isnotempty(DownloadContentFileExtention) and string_size(DownloadContentFileExtention) < 8
| summarize Total = count() by DownloadContentFileExtention
| sort by Total
Explanation
This query is designed to identify and list the file extensions of files that have been requested via HTTP GET requests. Here's a simplified breakdown of what the query does:
-
Filter Events: It starts by filtering network events to only include those where a network signature inspection has occurred (
ActionType == "NetworkSignatureInspected"). -
Extract Information: It extracts specific fields from the
AdditionalFieldsJSON, such asSignatureName,SignatureMatchedContent, andSamplePacketContent. -
Identify HTTP GET Requests: It further filters these events to only include those where the signature name is "HTTP_Client" and the HTTP request method is "GET".
-
Extract File Information: From the
SignatureMatchedContent, it extracts the content that was downloaded and specifically isolates the file extension of this content. -
Filter and Limit Extensions: It ensures that the file extension is not empty and is less than 8 characters long to reduce false positives.
-
Summarize and Sort: Finally, it counts the occurrences of each file extension and sorts them by the total count, providing a list of file extensions used in HTTP GET requests, ordered by frequency.
This query is useful for understanding what types of files are being requested over the network, which can be important for security monitoring and analysis.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators