KQL Search

Query Details

HTTP Request Methods Statistics

Query

# HTTP Request Methods Statistics
----
### Defender For Endpoint

```
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "HTTP_Client"
| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, " /", 0)[0])
| summarize count() by HTTP_Request_Method

```
### Sentinel
```
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "HTTP_Client"
| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, " /", 0)[0])
| summarize count() by HTTP_Request_Method
```

Explanation

The query retrieves statistics on HTTP request methods from network events in both Defender for Endpoint and Sentinel. It filters for events where the action type is "NetworkSignatureInspected" and the signature name is "HTTP_Client". It then extracts the HTTP request method from the signature matched content and summarizes the count of each request method.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents,ActionType,SignatureName,SignatureMatchedContent,AdditionalFields,SamplePacketContent,HTTP_Request_Method

Operators

whereextendtostringparse_jsonsplitsummarizeby

KQL Search

HTTP Request Methods Statistics

Query

Explanation

Details

Actions