Adversaries may use connected networks to establish persistent access or exfiltrate data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command and control activities.
KQL Query
//
DeviceNetworkInfo
| summarize arg_max(Timestamp, *) by DeviceId
| mv-expand todynamic(ConnectedNetworks)
| where isnotempty( ConnectedNetworks.Name)
| summarize by NetworkNames = tostring(ConnectedNetworks.Name)id: cd1492a0-7e53-4615-9e63-f930576a3f6b
name: Seen Connected Networks
description: |
This query uncovers seen connected networks
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkInfo
tactics: []
relevantTechniques: []
query: |
//
DeviceNetworkInfo
| summarize arg_max(Timestamp, *) by DeviceId
| mv-expand todynamic(ConnectedNetworks)
| where isnotempty( ConnectedNetworks.Name)
| summarize by NetworkNames = tostring(ConnectedNetworks.Name)Scenario: Network discovery scan using Nmap
Filter/Exclusion: Exclude IP ranges used for internal network discovery (e.g., 192.168.0.0/16) or add a filter for source_ip = "10.0.0.5" (the IP used by the Nmap scanner).
Scenario: Scheduled system update via WSUS (Windows Server Update Services)
Filter/Exclusion: Exclude traffic originating from the WSUS server IP or filter by destination_port = 80 or 443 during update windows.
Scenario: Admin performing PowerShell remote management (e.g., Invoke-Command)
Filter/Exclusion: Exclude connections from known admin IPs or add a filter for process_name = "powershell.exe" with a known admin user context.
Scenario: Ansible playbook execution triggering network connectivity checks
Filter/Exclusion: Exclude connections from the Ansible control node IP or filter by process_name = "ansible" or command_line LIKE '%ansible%'.
Scenario: SNMP polling by network monitoring tools like SolarWinds or Zabbix
Filter/Exclusion: Exclude SNMP traffic (e.g., destination_port = 161) or filter by process_name = "snmpwalk" or snmptrapd.