Security researchers Meitar Pinto and Thiago Marques also contributed to this post.
As we continue to evolve our Microsoft 365 Defender capabilities to enable security teams to analyze enriched incidents with alerts and events from diverse sources, a critical factor is user feedback. After hearing our customers’ feedback, one of the core asks was around Defender for Endpoint providing deeper visibility into network traffic sources and destinations on protected endpoints
Previously, Microsoft Defender for Endpoint introduced device discovery as part of our Threat and Vulnerability Management component. Device discovery employs both active (standard discovery) and passive (basic discovery) methods to discover devices. The passive method listens to traffic and surfaces new devices to the Microsoft 365 Defender portal.
We have recently expanded advanced hunting capabilities to expose network traffic details with device discovery. The DeviceNetworkEvents table has a new ActionType field value called NetworkSignatureInspected to present that information. This new action type adds information about network traffic detected in the AdditionalFields fields, as shown in figure 1.
Figure 1. AdditionalFields details from a NetworkSignatureInspected action type from the DeviceNetworkEvents advanced hunting table
AdditionalFields generally captures more information beyond what the standard network event would store. In the case of the new NetworkSignatureInspected action type, you have SignatureName, SignatureMatchedContent, and SamplePacketContent.
DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected"
| where Timestamp > ago(7d)
| extend SigName = parse_json(AdditionalFields).SignatureName , SigMatchedContent = parse_json(AdditionalFields).SignatureMatchedContent, SigSampleContent = parse_json(AdditionalFields).SamplePacketContent
| distinct tostring(SigName)
The query outputs the distinct signature types like so:
Figure 2. Distinct signature types from NetworkSignatureInspected action type, found in AdditionalFields
SignatureName |
SignatureMatchedContent |
HTTP_Client |
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?11791a66b4e4cedd HTTP/1.1 |
DNS_Request |
r%E9%01%00%00%01%00%00%00%00%00%00%06eu-v20%06events%04data%09microsoft%03com r%E9%01%00%00%01%00%00%00%00%00%00%06eu-v20%06events%04data%09microsoft%03com |
SMB_Client |
%00%00%00%E8%FESMB |
Here are a few scenarios where you can use the NetworkSignatureInspected action type in advanced hunting:
DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected"
| where Timestamp > ago(7d)
| extend SigName = parse_json(AdditionalFields).SignatureName, SigMatchedContent = parse_json(AdditionalFields).SignatureMatchedContent, SigSampleContent = parse_json(AdditionalFields).SamplePacketContent
| where SigName == 'SSH'
| where SigMatchedContent == 'SSH-1'
| project Timestamp, DeviceName, LocalIP, RemoteIP, RemotePort
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| where Timestamp > ago(7d)
| extend json = parse_json(AdditionalFields)
| project LocalIP,LocalPort,RemoteIP,RemotePort,SignatureName = tostring(json.SignatureName),SignatureMatchedContent = tostring(json.SignatureMatchedContent),SamplePacketContent = tostring(json.SamplePacketContent)
// Looks for SMB_Client signatures on ports other than 445 and 139
|where (SignatureName == "SMB_Client" and LocalPort !in(445,139) and
// Looks for DNS Requests on non-standard ports.
RemotePort !in(445,139)) or (SignatureName == "DNS_Request" and LocalPort !in(53,137,5353,5355) and RemotePort !in(53,137,5353,5355))
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| where Timestamp > ago(7d)
|extend json = parse_json(AdditionalFields)
|project LocalIP,LocalPort,RemoteIP,RemotePort,SignatureName = tostring(json.SignatureName),SignatureMatchedContent = tostring(json.SignatureMatchedContent),SamplePacketContent = tostring(json.SamplePacketContent)
|where SignatureName == "DNS_Request" and RemotePort == 53
|summarize dcount(LocalIP) by RemoteIP
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| where Timestamp > ago(7d)
| extend json = parse_json(AdditionalFields)
| project LocalIP,LocalPort,RemoteIP,RemotePort,SignatureName = tostring(json.SignatureName),SignatureMatchedContent = tostring(json.SignatureMatchedContent),SamplePacketContent = tostring(json.SamplePacketContent)
| where SignatureName == "HTTP_Client"
| where SignatureMatchedContent has ".exe"
We hope this new signature data can help you hunt for suspicious network events in a more granular way to better streamline your hunting activities. We look forward to hearing your feedback about these new capabilities. Stay tuned for more signatures to be released over time!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.