Defender-DeviceNetworkEvents
8 events across 8 channels
| Event ID | Title | Channel |
|---|---|---|
| 9004000 | Network activity (any) | DeviceNetworkEvents |
| 9004001 | Connection succeeded | ConnectionSuccess |
| 9004002 | Connection failed | ConnectionFailed |
| 9004003 | Inbound connection accepted | InboundConnectionAccepted |
| 9004004 | Listening connection created | ListeningConnectionCreated |
| 9004005 | Connection request | ConnectionRequest |
| 9004006 | DNS connection inspected | DnsConnectionInspected |
| 9004007 | DNS query / response | DnsQueryResponse |
Event ID 9004000 — Network activity (any)
#Description
Network activity (any)
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
ActionType | — |
RemoteIP | — |
RemotePort | — |
RemoteUrl | — |
LocalIP | — |
LocalPort | — |
Protocol | — |
InitiatingProcessFileName | — |
InitiatingProcessCommandLine | — |
Detection Rules #
View all rules referencing this event →
Kusto Query Language # view in reference
- Zinc Actor IOCs files - October 2022 source high: 'Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
Event ID 9004001 — Connection succeeded
#Description
Connection succeeded
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
RemoteIP | — |
RemotePort | — |
RemoteUrl | — |
Protocol | — |
InitiatingProcessFileName | — |
Detection Patterns #
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
Event ID 9004002 — Connection failed
Description
Connection failed
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
RemoteIP | — |
RemotePort | — |
Protocol | — |
InitiatingProcessFileName | — |
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
Event ID 9004003 — Inbound connection accepted
Description
Inbound connection accepted
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
LocalIP | — |
LocalPort | — |
RemoteIP | — |
Protocol | — |
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
Event ID 9004004 — Listening connection created
Description
Listening connection created
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
LocalIP | — |
LocalPort | — |
Protocol | — |
InitiatingProcessFileName | — |
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
Event ID 9004005 — Connection request
Description
Connection request
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
RemoteIP | — |
RemotePort | — |
Protocol | — |
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
Event ID 9004006 — DNS connection inspected
Description
DNS connection inspected
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
RemoteUrl | — |
RemoteIP | — |
Protocol | — |
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
Event ID 9004007 — DNS query / response
Description
DNS query / response
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
RemoteUrl | — |
RemoteIP | — |
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table