Query Details
Windows Find Net BIOS Name Service NBNS Usage UDP 137
Query
```kql // Find NetBIOS Name Service usage on UDP port 137 // Can be used to determine if NetBIOS can be disabled in environment DeviceNetworkEvents | where Timestamp > ago(30d) | where toupper(Protocol) == "UDP" | where RemotePort == 137 ```
Explanation
This query is designed to identify any usage of the NetBIOS Name Service over the last 30 days. It specifically looks for network events where the protocol used is UDP and the remote port is 137, which is associated with the NetBIOS Name Service. By analyzing these events, you can determine if NetBIOS is actively being used in your environment and decide if it can be safely disabled.
Details
Nathan Hutchinson
Released: February 15, 2026
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsTimestampProtocolRemotePort
Operators
agotoupper==>|where