Defender-DeviceNetworkEvents

8 ActionTypes

ActionTypeTitle
anyNetwork activity (any)
ConnectionSuccessConnection succeeded
ConnectionFailedConnection failed
InboundConnectionAcceptedInbound connection accepted
ListeningConnectionCreatedListening connection created
ConnectionRequestConnection request
DnsConnectionInspectedDNS connection inspected
DnsQueryResponseDNS query / response

any: Network activity (any)

#
Provider
Defender-DeviceNetworkEvents
Channel
DeviceNetworkEvents

Description

Network activity (any)

Fields #

NameDescriptionRules
DeviceId
Timestamp
ActionType
RemoteIP
RemotePort
RemoteUrl
LocalIP
LocalPort
Protocol
InitiatingProcessFileName2
InitiatingProcessCommandLine

Detection Patterns #

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
parent_process_nameeqsvchost.exe1 ruleelastic, kusto, splunk
CommandLinecontainscommandline1 rulekusto, splunk
EventTypeneListeningConnectionCreated1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #

ConnectionSuccess: Connection succeeded

#
Provider
Defender-DeviceNetworkEvents
Channel
ConnectionSuccess

Description

Connection succeeded

Fields #

NameDescription
DeviceId
Timestamp
RemoteIP
RemotePort
RemoteUrl
Protocol
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeeqConnectionSuccess5 ruleskusto
DestinationPorteq93892 ruleselastic, kusto, sigma, splunk
EventTypeinFileCreated1 rulekusto
EventTypeinFileModified1 rulekusto
RemoteIPTypeeqPublic1 rulekusto
DestinationPortin801 rulekusto, splunk
outliersgt21 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

Show 5 more (8 total)
  • ADWS Connection from Unexpected Binary source: This query first collects the IP addresses of all machines that have the Active Directory Web Services (ADWS) service running. It then searches for network connections to these IP addresses from processes that are not expected to connect to ADWS.
  • ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.
  • Suspicious Network Beacons - Microsoft Defender(MDE/M365D) source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents data.
  • Rouge RDP: Suspicious File Creation source: Below query detects file creations of mstsc.exe where it also makes a network connection to a public IP address. This behavior is an indication of Rogue RDP.
    False Positives: Copying files to the local machine over RDP may cause false positives.
  • Server Network Connection Anomalies source: Servers have a specific baseline. This makes it easy to create a baseline and detect anomalies.
    Below queries analyze the network connections made by the specified servers and detects the rare/anomalous ones.
    You can add process info to the analysis, but it will probably generate more results(different processes for the same IP).

References #

ConnectionFailed: Connection failed

#
Provider
Defender-DeviceNetworkEvents
Channel
ConnectionFailed

Description

Connection failed

Fields #

NameDescription
DeviceId
Timestamp
RemoteIP
RemotePort
Protocol
InitiatingProcessFileName

References #

InboundConnectionAccepted: Inbound connection accepted

#
Provider
Defender-DeviceNetworkEvents
Channel
InboundConnectionAccepted

Description

Inbound connection accepted

Fields #

NameDescription
DeviceId
Timestamp
LocalIP
LocalPort
RemoteIP
Protocol

Detection Patterns #

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
parent_process_nameeqservices.exe1 ruleelastic, kusto, splunk
file_nameincmd.exe1 rulekusto
file_nameinftp.exe1 rulekusto
file_nameinmsiexec.exe1 rulekusto
file_nameinregsvr32.exe1 rulekusto
file_nameinrundll32.exe1 rulekusto
file_nameinschtasks.exe1 rulekusto
file_nameinagentexecutor.exe1 rulekusto
file_nameinappvlp.exe1 rulekusto
file_nameinat.exe1 rulekusto
file_nameinatbroker.exe1 rulekusto
file_nameinbash.exe1 rulekusto
file_nameinbginfo.exe1 rulekusto
file_nameinbitsadmin.exe1 rulekusto
file_nameincdb.exe1 rulekusto

References #

ListeningConnectionCreated: Listening connection created

#
Provider
Defender-DeviceNetworkEvents
Channel
ListeningConnectionCreated

Description

Listening connection created

Fields #

NameDescription
DeviceId
Timestamp
LocalIP
LocalPort
Protocol
InitiatingProcessFileName

References #

ConnectionRequest: Connection request

#
Provider
Defender-DeviceNetworkEvents
Channel
ConnectionRequest

Description

Connection request

Fields #

NameDescription
DeviceId
Timestamp
RemoteIP
RemotePort
Protocol

References #

DnsConnectionInspected: DNS connection inspected

#
Provider
Defender-DeviceNetworkEvents
Channel
DnsConnectionInspected

Description

DNS connection inspected

Fields #

NameDescription
DeviceId
Timestamp
RemoteUrl
RemoteIP
Protocol

References #

DnsQueryResponse: DNS query / response

#
Provider
Defender-DeviceNetworkEvents
Channel
DnsQueryResponse

Description

DNS query / response

Fields #

NameDescription
DeviceId
Timestamp
RemoteUrl
RemoteIP

References #