Query Details

Display the Inspected Network Signatures

Visualization Inspected Network Signatures

Query

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = parse_json(AdditionalFields).SignatureName,
     SignatureMatchedContent = 
parse_json(AdditionalFields).SignatureMatchedContent
| summarize count() by tostring(SignatureName)
| render piechart with(title="Inspected Network Signatures")

About this query

Display the Inspected Network Signatures

Defender XDR

Sentinel

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = parse_json(AdditionalFields).SignatureName,
     SignatureMatchedContent = 
parse_json(AdditionalFields).SignatureMatchedContent
| summarize count() by tostring(SignatureName)
| render piechart with(title="Inspected Network Signatures")

Explanation

This query is designed to analyze network events where specific network signatures have been inspected. It is applicable to both Defender XDR and Sentinel platforms. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the DeviceNetworkEvents table, which contains records of network-related activities.

  2. Filter: It filters the data to only include events where the ActionType is "NetworkSignatureInspected". This means it focuses on events where network signatures have been checked or analyzed.

  3. Extract Information: It extracts two pieces of information from the AdditionalFields column:

    • SignatureName: The name of the network signature that was inspected.
    • SignatureMatchedContent: The content that matched the signature (though this is extracted, it is not used further in the query).
  4. Summarize: It counts how many times each unique SignatureName appears in the filtered data. This gives an idea of which network signatures are being inspected most frequently.

  5. Visualize: Finally, it creates a pie chart to visually represent the count of each SignatureName, with the chart titled "Inspected Network Signatures". This helps in quickly understanding the distribution of inspected network signatures.

In summary, the query identifies and visualizes the frequency of different network signatures being inspected in network events.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsSignatureNameMatchedContent

Operators

whereextendparse_jsonsummarizecounttostringrenderwith

Actions

GitHub