Adversaries may use network discovery to identify and target connected devices within the environment. SOC teams should proactively hunt for this behavior to detect potential reconnaissance efforts and early-stage compromise attempts in their Azure Sentinel environment.
KQL Query
DeviceNetworkInfo
| mv-expand parse_json(IPAddresses)
| mv-expand parse_json(ConnectedNetworks)
| where IPAddresses.IPAddress !contains ":" and IPAddresses.IPAddress <> ""
| where ConnectedNetworks.Name == "YourNetworkHere" and ConnectedNetworks.Name <> "" //Change the YourNetworkHere to the display
| summarize arg_max(Timestamp, *) by DeviceName
| project DeviceName, IPAddress=IPAddresses.IPAddress, ConnectedNetworks_value=ConnectedNetworks.Nameid: c7813a5c-ef11-4ee9-8feb-731402f31259
name: ConnectedNetworkDeviceDiscovery
description: |
Find devices connected to a monitored network.
Please Note line 5 needs to have a monitored network name put in place or commented out to pull everything.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
DeviceNetworkInfo
| mv-expand parse_json(IPAddresses)
| mv-expand parse_json(ConnectedNetworks)
| where IPAddresses.IPAddress !contains ":" and IPAddresses.IPAddress <> ""
| where ConnectedNetworks.Name == "YourNetworkHere" and ConnectedNetworks.Name <> "" //Change the YourNetworkHere to the display
| summarize arg_max(Timestamp, *) by DeviceName
| project DeviceName, IPAddress=IPAddresses.IPAddress, ConnectedNetworks_value=ConnectedNetworks.NameScenario: Network discovery scan performed by SolarWinds Network Configuration Manager
Filter/Exclusion: Exclude traffic from the SolarWinds agent IP or use a custom tag like tool:solarwinds to filter out legitimate discovery traffic.
Scenario: Scheduled Ansible ad-hoc command to inventory devices on the network
Filter/Exclusion: Exclude traffic originating from the Ansible control node or use a tag like tool:ansible to identify and suppress false positives.
Scenario: Windows Server Backup job that temporarily connects to network devices during backup process
Filter/Exclusion: Exclude IP addresses associated with the backup server or use a tag like task:backup to filter out legitimate network connections during backups.
Scenario: Cisco Prime Infrastructure performing automated device discovery and configuration synchronization
Filter/Exclusion: Exclude traffic from the Cisco Prime IP address or use a tag like tool:cisco_prime to suppress alerts from known management traffic.
Scenario: PRTG Network Monitor polling devices for status updates and health checks
Filter/Exclusion: Exclude IP addresses associated with the PRTG server or use a tag like tool:prtgnetworkmonitor to filter out expected monitoring traffic.