Defender-DeviceNetworkEvents
8 ActionTypes
| ActionType | Title |
|---|---|
| any | Network activity (any) |
| ConnectionSuccess | Connection succeeded |
| ConnectionFailed | Connection failed |
| InboundConnectionAccepted | Inbound connection accepted |
| ListeningConnectionCreated | Listening connection created |
| ConnectionRequest | Connection request |
| DnsConnectionInspected | DNS connection inspected |
| DnsQueryResponse | DNS query / response |
any: Network activity (any)
#Description
Network activity (any)
Fields #
| Name | Description | Rules |
|---|---|---|
DeviceId | ||
Timestamp | ||
ActionType | ||
RemoteIP | ||
RemotePort | ||
RemoteUrl | ||
LocalIP | ||
LocalPort | ||
Protocol | ||
InitiatingProcessFileName | 2 | |
InitiatingProcessCommandLine |
Detection Patterns #
Lateral Movement: Distributed Component Object Model
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
parent_process_name | eq | svchost.exe | 1 rule | elastic, kusto, splunk |
CommandLine | contains | commandline | 1 rule | kusto, splunk |
EventType | ne | ListeningConnectionCreated | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Zinc Actor IOCs files - October 2022 source high: Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents Aggregated Reports telemetry. Use it as a starting point and refine further as it may generate too many results.
- Suspicious Network Connections - Supply Chain Attack source: Below query detects unusual network conenctions from servers that have 3rd party software installed.
You can further improve the query by using a list of servers that have privileges across the whole domain.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/
ConnectionSuccess: Connection succeeded
#Description
Connection succeeded
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
RemoteIP | |
RemotePort | |
RemoteUrl | |
Protocol | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | ConnectionSuccess | 5 rules | kusto |
DestinationPort | eq | 9389 | 2 rules | elastic, kusto, sigma, splunk |
EventType | in | FileCreated | 1 rule | kusto |
EventType | in | FileModified | 1 rule | kusto |
RemoteIPType | eq | Public | 1 rule | kusto |
DestinationPort | in | 80 | 1 rule | kusto, splunk |
outliers | gt | 2 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- SUNBURST network beacons source medium: Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.
- NTLM Relay Attack source: This query searches for successful NTLM network logins where the device name contained in the NTLM authentication message contains a device that is known to MDE, but the source IP address is different from the known source IP address for that specific device. This could indicate an attacker is relaying the NTLM authentication information. To remove false positives, this query also searches for an outgoing network connection from the initiator to the attacker.
Show 5 more (8 total)
- ADWS Connection from Unexpected Binary source: This query first collects the IP addresses of all machines that have the Active Directory Web Services (ADWS) service running. It then searches for network connections to these IP addresses from processes that are not expected to connect to ADWS.
- ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.
- Suspicious Network Beacons - Microsoft Defender(MDE/M365D) source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents data.
- Rouge RDP: Suspicious File Creation source: Below query detects file creations of
mstsc.exewhere it also makes a network connection to a public IP address. This behavior is an indication of Rogue RDP.
False Positives: Copying files to the local machine over RDP may cause false positives. - Server Network Connection Anomalies source: Servers have a specific baseline. This makes it easy to create a baseline and detect anomalies.
Below queries analyze the network connections made by the specified servers and detects the rare/anomalous ones.
You can add process info to the analysis, but it will probably generate more results(different processes for the same IP).
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/
ConnectionFailed: Connection failed
#Description
Connection failed
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
RemoteIP | |
RemotePort | |
Protocol | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/
InboundConnectionAccepted: Inbound connection accepted
#Description
Inbound connection accepted
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
LocalIP | |
LocalPort | |
RemoteIP | |
Protocol |
Detection Patterns #
Lateral Movement: SMB/Windows Admin Shares
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
parent_process_name | eq | services.exe | 1 rule | elastic, kusto, splunk |
file_name | in | cmd.exe | 1 rule | kusto |
file_name | in | ftp.exe | 1 rule | kusto |
file_name | in | msiexec.exe | 1 rule | kusto |
file_name | in | regsvr32.exe | 1 rule | kusto |
file_name | in | rundll32.exe | 1 rule | kusto |
file_name | in | schtasks.exe | 1 rule | kusto |
file_name | in | agentexecutor.exe | 1 rule | kusto |
file_name | in | appvlp.exe | 1 rule | kusto |
file_name | in | at.exe | 1 rule | kusto |
file_name | in | atbroker.exe | 1 rule | kusto |
file_name | in | bash.exe | 1 rule | kusto |
file_name | in | bginfo.exe | 1 rule | kusto |
file_name | in | bitsadmin.exe | 1 rule | kusto |
file_name | in | cdb.exe | 1 rule | kusto |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/
ListeningConnectionCreated: Listening connection created
#Description
Listening connection created
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
LocalIP | |
LocalPort | |
Protocol | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/
ConnectionRequest: Connection request
#Description
Connection request
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
RemoteIP | |
RemotePort | |
Protocol |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/
DnsConnectionInspected: DNS connection inspected
#Description
DNS connection inspected
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
RemoteUrl | |
RemoteIP | |
Protocol |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/
DnsQueryResponse: DNS query / response
#Description
DNS query / response
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
RemoteUrl | |
RemoteIP |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/