Defender-DeviceNetworkEvents

11 ActionTypes

ActionType	Title
any	Network activity (any)
ConnectionSuccess	Connection succeeded
ConnectionFailed	Connection failed
InboundConnectionAccepted	Inbound connection accepted
ListeningConnectionCreated	Listening connection created
ConnectionRequest	Connection request
DnsConnectionInspected	DNS connection inspected
DnsQueryResponse	DNS query / response
ConnectionAttempt	Connection attempt
ConnectionFound	Connection found
NetworkSignatureInspected	Network signature inspected

any: Network activity (any)

Table: DeviceNetworkEvents

Description

Network activity (any)

Fields #

Name	Description	Rules
`DeviceId`
`Timestamp`
`ActionType`
`RemoteIP`
`RemotePort`
`RemoteUrl`
`LocalIP`
`LocalPort`
`Protocol`
`InitiatingProcessFileName`		2 detection rules
`InitiatingProcessCommandLine`

Detection Patterns #

Lateral Movement: Distributed Component Object Model

Defender-DeviceNetworkEvents any: Network activityORSecurity-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connection

2 rules

Kusto

DCOM Lateral Movement (source)

Hunt for ADWS requests from unknown devices (source)

Robbe Van den Daele

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	contains	`inboundconnection`	1 rule	kusto
`EventType`	ne	`ListeningConnectionCreated`	2 rules	kusto
`CommandLine`	contains	`commandline`	1 rule	kusto, splunk
`OnboardingStatus`	ne	`Onboarded`	1 rule	kusto
`parent_process_name`	eq	`msiexec.exe`	1 rule	elastic, kusto, splunk
`parent_process_name`	eq	`svchost.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

Zinc Actor IOCs files - October 2022 source high: Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents Aggregated Reports telemetry. Use it as a starting point and refine further as it may generate too many results.
Suspicious Network Connections - Supply Chain Attack source: Below query detects unusual network conenctions from servers that have 3rd party software installed.
You can further improve the query by using a list of servers that have privileges across the whole domain.

Show 4 more (7 total)

Detect CVE exploits on network for which a device is vulnerable source: This detection query can be used to find specific CVE exploits passing on the wire for which the device is vulnerable. This query should have a very high TP rate, and can be considered as a 'High severity' query.
Detect Msiexec executing DLL network connections source: Adversaries regularly use Msiexec (or other lolbins) to execute their malicious programs with. A common way to do this is more specifically using Msiexec to execute beacons encapsulated in DLL files. While this happens a lot in legitimate cases, a DLL file loaded via Msiexec starting network connections may indicate a beacon running. > [!WARNING] > You might need to add environment specific finetuning to this rule in order to reduce BP detections from legitimate processes.
Hunt for public facing devices via DeviceNetworkEvents source: Find public facing devices via the DeviceNetworkEvents table.
Hunt MDE with GSA events source: This rule correlates the Microsoft Defender for Endpoint DeviceNetworkEvents table with the Global Secure Access NetworkAccessTraffic table. By doing this, you can enrich the MDE events which contains detailed process information with the GSA events that contains detailed HTTP header information and more.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

ConnectionSuccess: Connection succeeded

Table: DeviceNetworkEvents

Description

Connection succeeded

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteIP`
`RemotePort`
`RemoteUrl`
`Protocol`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ConnectionSuccess`	7 rules	kusto
`EventType`	in	`ConnectionSuccess`	3 rules	kusto
`EventType`	in	`ConnectionAttempt`	2 rules	kusto
`EventType`	in	`ConnectionFailed`	2 rules	kusto
`EventType`	in	`ConnectionRequest`	2 rules	kusto
`DestinationPort`	eq	`3389`	2 rules	elastic, kusto, sigma, splunk
`DestinationPort`	eq	`9389`	2 rules	elastic, kusto, sigma, splunk
`DestinationPort`	in	`445`	3 rules	elastic, kusto
`DestinationPort`	in	`135`	2 rules	kusto
`DestinationPort`	in	`3389`	2 rules	elastic, kusto
`DestinationPort`	in	`5985`	2 rules	elastic, kusto
`DestinationPort`	in	`5986`	2 rules	elastic, kusto
`DestinationPort`	in	`22`	1 rule	elastic, kusto
`DestinationPort`	in	`5900`	1 rule	kusto
`DestinationPort`	in	`80`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

SUNBURST network beacons source medium: Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.
NTLM Relay Attack source: This query searches for successful NTLM network logins where the device name contained in the NTLM authentication message contains a device that is known to MDE, but the source IP address is different from the known source IP address for that specific device. This could indicate an attacker is relaying the NTLM authentication information. To remove false positives, this query also searches for an outgoing network connection from the initiator to the attacker.↳ also matches ConnectionAttempt: Connection attempt

Show 10 more (13 total)

ADWS Connection from Unexpected Binary source: This query first collects the IP addresses of all machines that have the Active Directory Web Services (ADWS) service running. It then searches for network connections to these IP addresses from processes that are not expected to connect to ADWS.
ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.
Suspicious Network Beacons - Microsoft Defender(MDE/M365D) source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents data.
Rouge RDP: Suspicious File Creation source: Below query detects file creations of mstsc.exe where it also makes a network connection to a public IP address. This behavior is an indication of Rogue RDP.
False Positives: Copying files to the local machine over RDP may cause false positives.
Server Network Connection Anomalies source: Servers have a specific baseline. This makes it easy to create a baseline and detect anomalies.
Below queries analyze the network connections made by the specified servers and detects the rare/anomalous ones.
You can add process info to the analysis, but it will probably generate more results(different processes for the same IP).
Detect process drops via Azure Custom Script Extension performing lateral movement source: This detection rule spots processes that where dropped via Azure Custom Script Extension on a machine and are now performing lateral movement. A common procedures for attackers when they compromised one machine is to move laterally to other machines via common protocols such as RDP, SSH, VNC, WMI, RPC, etc. It is not very common in an environment that Custom Script Extensions is being used for this.
Detect Unknown process using SMB or WinRM source: WinRM and SMB are popular network protocols to perform lateral movement by adversaries (while there are some others as well). When an unknown process is performing SMB or WinRM network connections, this might indicate that a malware process is trying to move laterally to other devices in your network. > [!WARNING] > This detection rule is the base for the detection. You will need to add environment specific finetuning in order to limit the BP detections on legitimate processes
Hunt for devices doing first RDP session source: This hunting query can help you find devices doing an RDP connection for the first time in 30 days. While this can be normal behavior, it might be interesting to look at why this device is suddenly doing an RDP connection.
Hunt for RDP sessions to unmanaged and non TPM devices source: This query can help you find devices performing RDP sessions to unmanaged or non-TPM protected devices.
Hunt for Defender for Identity NNR issues source: This query can help you in finding Network Name Resolution health issues of Microsoft Defender for Identity. NNR is a critical component which is used to get more information on IP addresses seen by MDI. Without NNR proparly working, MDI can throw a lot of False Positive alerts.↳ also matches ConnectionFailed: Connection failed

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

ConnectionFailed: Connection failed

Table: DeviceNetworkEvents

Description

Connection failed

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteIP`
`RemotePort`
`Protocol`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`DestinationPort`	in	`135`	1 rule	kusto
`DestinationPort`	in	`3389`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Hunt for Defender for Identity NNR issues source: This query can help you in finding Network Name Resolution health issues of Microsoft Defender for Identity. NNR is a critical component which is used to get more information on IP addresses seen by MDI. Without NNR proparly working, MDI can throw a lot of False Positive alerts.↳ also matches ConnectionSuccess: Connection succeeded

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

InboundConnectionAccepted: Inbound connection accepted

Table: DeviceNetworkEvents

Description

Inbound connection accepted

Fields #

Name	Description
`DeviceId`
`Timestamp`
`LocalIP`
`LocalPort`
`RemoteIP`
`Protocol`

Detection Patterns #

Lateral Movement: SMB/Windows Admin Shares

Defender-DeviceNetworkEvents InboundConnectionAccepted: Inbound connection acceptedORSecurity-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Kusto

SMB/Windows Admin Shares (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`file_name`	in	`agentexecutor.exe`	1 rule	kusto
`file_name`	in	`appvlp.exe`	1 rule	kusto
`file_name`	in	`at.exe`	1 rule	kusto
`file_name`	in	`atbroker.exe`	1 rule	kusto
`file_name`	in	`bash.exe`	1 rule	kusto
`file_name`	in	`bginfo.exe`	1 rule	kusto
`file_name`	in	`bitsadmin.exe`	1 rule	kusto
`file_name`	in	`cdb.exe`	1 rule	kusto
`file_name`	in	`certreq.exe`	1 rule	kusto
`file_name`	in	`certutil.exe`	1 rule	kusto
`file_name`	in	`cmd.exe`	1 rule	kusto
`file_name`	in	`cmdkey.exe`	1 rule	kusto
`file_name`	in	`cmstp.exe`	1 rule	kusto
`file_name`	in	`control.exe`	1 rule	kusto
`file_name`	in	`csc.exe`	1 rule	kusto

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

ListeningConnectionCreated: Listening connection created

Table: DeviceNetworkEvents

Description

Listening connection created

Fields #

Name	Description
`DeviceId`
`Timestamp`
`LocalIP`
`LocalPort`
`Protocol`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

ConnectionRequest: Connection request

Table: DeviceNetworkEvents

Description

Connection request

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteIP`
`RemotePort`
`Protocol`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

DnsConnectionInspected: DNS connection inspected

Table: DeviceNetworkEvents

Description

DNS connection inspected

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteUrl`
`RemoteIP`
`Protocol`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

DnsQueryResponse: DNS query / response

Table: DeviceNetworkEvents

Description

DNS query / response

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteUrl`
`RemoteIP`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

ConnectionAttempt: Connection attempt

Table: DeviceNetworkEvents

Description

Connection attempt. Outbound connect() initiation; bridge is derivable-from, not one-to-one. Security 5156 fires for every WFP-allowed connection attempt whereas ConnectionAttempt is the MDE-filtered subset of interesting attempts. Cited by FalconFriday rule 0xFF-0270 NTLM Relay.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteIP`
`RemotePort`
`RemoteUrl`
`Protocol`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`DestinationPort`	in	`445`	1 rule	elastic, kusto
`DestinationPort`	in	`80`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

NTLM Relay Attack source: This query searches for successful NTLM network logins where the device name contained in the NTLM authentication message contains a device that is known to MDE, but the source IP address is different from the known source IP address for that specific device. This could indicate an attacker is relaying the NTLM authentication information. To remove false positives, this query also searches for an outgoing network connection from the initiator to the attacker.↳ also matches ConnectionSuccess: Connection succeeded

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

ConnectionFound: Connection found

Table: DeviceNetworkEvents

Description

Connection found. Established-connection observation; bridge is derivable-from. Cited by Sentinel hunting query Firewall Policy Design Assistant alongside ConnectionSuccess and ConnectionRequest as a union for any-state outbound TCP.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteIP`
`RemotePort`
`RemoteUrl`
`Protocol`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

NetworkSignatureInspected: Network signature inspected

Table: DeviceNetworkEvents

Description

Network signature inspected. Defender AV's Network Inspection System (NIS) signature engine result. Partial native bridge via Microsoft-Windows-Windows Defender/Operational 1116 (detection) / 1117 (action taken) when the Source field = NIS, and only when Defender AV with NIS is enabled. Cited by Sentinel hunting query CVE-2022-22965 Network Activity (Spring4Shell).

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteIP`
`RemotePort`
`RemoteUrl`
`AdditionalFields`
`InitiatingProcessFileName`

Detection Rules #

View all rules referencing this event →

Kusto #

DumpGuard NTLM challenge detected source: With the DumpGuard tool, attackers are able to dump credetials via Remote Credential Guard on devices that have Credential Guard enabled. The creator of the DumpGuard tool purposely used a hard-coded NTLMv1 challenge into the tool, for easy detection. > [!WARNING] > Since the detection relies on a static IOC that can easily be changed in the source code, this detection has a low confidence score since it can be easily bypassed. However, if the detection hits it is almost 100% certain the alert will be TP. > Also take into account that the NetworkSignatureInspected ActionType in MDE is sampled, which means not very event will be logged.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicenetworkevents/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Defender-DeviceNetworkEvents

any: Network activity (any)

Description

Fields #

Detection Patterns #

Lateral Movement: Distributed Component Object Model

Kusto

Common Indicators #

Detection Rules #

Kusto #

References #

ConnectionSuccess: Connection succeeded

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

Related Events #

References #

ConnectionFailed: Connection failed

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

InboundConnectionAccepted: Inbound connection accepted

Description

Fields #

Detection Patterns #

Lateral Movement: SMB/Windows Admin Shares

Kusto

Common Indicators #

References #

ListeningConnectionCreated: Listening connection created

Description

Fields #

References #

ConnectionRequest: Connection request

Description

Fields #

References #

DnsConnectionInspected: DNS connection inspected

Description

Fields #

References #

DnsQueryResponse: DNS query / response

Description

Fields #

References #

ConnectionAttempt: Connection attempt

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

ConnectionFound: Connection found

Description

Fields #

References #

NetworkSignatureInspected: Network signature inspected

Description

Fields #

Detection Rules #

Kusto #

References #