KQL Search

Query Details

HomeAI ToolsDevice Query

TLD By Count For Device Network Events

Query

DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
| where RemoteIPType == "Public"
//Remove start and end of URL
| extend RemoteUrl = iif(RemoteUrl startswith "https://",replace_string(RemoteUrl,"https://",""),iif(RemoteUrl startswith "http://",replace_string(RemoteUrl, "http://",""),RemoteUrl))
| extend slashindex = indexof(RemoteUrl, "/")
| extend RemoteUrl = iif(RemoteUrl contains "/",substring(RemoteUrl, 0, slashindex),RemoteUrl)
| extend tld = tostring(split(RemoteUrl, ".")[-1])
| extend VT_Link = strcat("https://www.virustotal.com/gui/domain/",RemoteUrl)
| extend Abuse_Link = strcat("https://www.abuseipdb.com/check/",RemoteIP)
| project-away slashindex
| project-reorder TimeGenerated, tld, VT_Link, Abuse_Link, RemoteUrl, InitiatingProcessAccountUpn, DeviceName
| extend Host_0_HostName = DeviceName
| extend Account_0_Name = InitiatingProcessAccountUpn
| extend URL_0_Url = RemoteUrl
| summarize count() by tld

Explanation

This KQL (Kusto Query Language) query is designed to analyze network connection events from devices over the past 90 days. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at the DeviceNetworkEvents table.

  2. Time Filter: It filters the data to include only events generated in the last 90 days.

  3. Action Type: It further narrows down the data to events where the connection was successful (ActionType == "ConnectionSuccess").

  4. Remote URL and IP Type: It ensures that the RemoteUrl field is not empty and that the RemoteIPType is "Public".

  5. URL Processing:

    • It removes "https://" or "http://" from the beginning of the RemoteUrl.
    • It trims the URL to remove any path after the domain name, leaving just the domain.

  6. Top-Level Domain Extraction: It extracts the top-level domain (TLD) from the RemoteUrl.

  7. External Links:

    • It creates a link to VirusTotal for the domain.
    • It creates a link to AbuseIPDB for checking the RemoteIP.

  8. Data Organization:

    • It removes unnecessary columns and reorders the remaining ones.
    • It renames some columns for clarity, such as DeviceName to Host_0_HostName and InitiatingProcessAccountUpn to Account_0_Name.

  9. Summarization: Finally, it summarizes the data by counting the number of events for each top-level domain (TLD).

In essence, this query is used to track and analyze successful public network connections from devices, focusing on the domains being accessed, and provides links for further investigation into the domains and IPs involved.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 23, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

DeviceNetworkEventswhereagoisnotemptyextendiifstartswithreplace_stringindexofcontainssubstringtostringsplitstrcatproject-awayproject-reordersummarizecountby

Actions