Query Details

HTTP Request Methods Statistics

Query

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "HTTP_Client"
| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, " /", 0)[0])
| summarize count() by HTTP_Request_Method

About this query

HTTP Request Methods Statistics

Query Information

Description

HTTP Request Methods Statistics

Defender XDR

Sentinel

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "HTTP_Client"
| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, " /", 0)[0])
| summarize count() by HTTP_Request_Method

Explanation

This query is designed to analyze network events related to HTTP requests. Here's a simple breakdown of what it does:

  1. Data Source: It looks at network events from a dataset called DeviceNetworkEvents.

  2. Filter Events: It filters these events to only include those where the action type is "NetworkSignatureInspected". This means it focuses on events where network traffic has been inspected for known patterns or signatures.

  3. Extract Information: From these filtered events, it extracts additional details stored in a field called AdditionalFields. Specifically, it pulls out:

    • SignatureName: The name of the signature that matched the network traffic.
    • SignatureMatchedContent: The content that matched the signature.
    • SamplePacketContent: A sample of the network packet content.
  4. Focus on HTTP Clients: It further narrows down the data to only include events where the SignatureName is "HTTP_Client". This indicates that the events are related to HTTP client requests.

  5. Identify HTTP Methods: From the SignatureMatchedContent, it extracts the HTTP request method (like GET, POST, etc.) by splitting the content and taking the first part before the space and slash.

  6. Count Occurrences: Finally, it counts how many times each HTTP request method appears in the data.

In summary, this query provides statistics on the different types of HTTP request methods observed in network traffic, specifically for events identified as HTTP client requests.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsSignatureNameMatchedContentSamplePacketHTTPRequestMethod

Operators

whereextendtostringparse_jsonsplitsummarizecountby

Actions

GitHub