Query Details
Visualization Inspected Network Signatures
Query
# Display the Inspected Network Signatures
### Defender For Endpoint
```
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
SignatureName = parse_json(AdditionalFields).SignatureName,
SignatureMatchedContent =
parse_json(AdditionalFields).SignatureMatchedContent
| summarize count() by tostring(SignatureName)
| render piechart with(title="Inspected Network Signatures")
```
### Sentinel
```
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
SignatureName = parse_json(AdditionalFields).SignatureName,
SignatureMatchedContent =
parse_json(AdditionalFields).SignatureMatchedContent
| summarize count() by tostring(SignatureName)
| render piechart with(title="Inspected Network Signatures")
```
Explanation
The query retrieves and displays the inspected network signatures in both Defender for Endpoint and Sentinel. It filters the DeviceNetworkEvents table for events with the ActionType "NetworkSignatureInspected" and then extends the table to include the SignatureName and SignatureMatchedContent fields. It then summarizes the count of each SignatureName and renders the results as a pie chart with the title "Inspected Network Signatures".
Details
Bert-Jan Pals
Released: March 8, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,ActionType,SignatureName,AdditionalFields,SignatureMatchedContent,count(),render,piechart,title
Operators
whereextendparse_jsonsummarizerender