DeviceNetworkEvents table in Defender365

AdamBudzinskiAZA-0329 91 Reputation points
2022-10-26T14:35:14.513+00:00

Hi,
I see (or it’s just me, and my misinterpretation) but I’m having a difficult time to make sense of the DeviceNetworkEvents table in Defender 365 Advanced Hunting.

Example 1:

254387-image.png

254374-image.png
If I perform a search for that IP 1.2.3.4 in that table as RemoteIP == “1.2.3.4” I cat still grab the device name and it’s the one that corresponds to what is in LocalIP.

However, when the ActionType == NetworkSignatureInspected, the reverse is true, meaning the DeviceName is mapped to the RemoteIP. What I suspect, but not sure, is this part of Endpoint Discovery, meaning that the device with DeviceName in the event is seeing the traffic from a not on-boarded device?

Thanks

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,233 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,676 Reputation points Microsoft Employee
    2022-10-27T13:04:47.243+00:00

    I may not understand the question. The MDE client can inspect for other systems using Device Discovery though I am not certain if that is related. This uses the agent to discover systems that are not onboarded in addition to network and IOT devices.

    Here is more info on that activity type:
    https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-network-signatures-in-microsoft-defender-for/ba-p/3429520

    0 comments No comments