Update your custom detections to leverage new ActionTypes in DeviceNetworkEvents

Originally posted by Microsoft May 23, 2023 Uncategorized 0 Comments

On July 18, 2023, Microsoft will be retiring a subset of signatures found in the “NetworkSignaturesInspected” action type of Advanced Hunting. With the recent integration of Zeek providing advanced protocol parsing capabilities, which result in better visibility into full network sessions compared to the raw packet bytes found in the “NetworkSignaturesInspected” action type of Advanced Hunting today, the effort to consolidate will provide a better overall experience for our customers by reducing the signatures that serve similar functions without the added benefits provided by the new Zeek alternative.

When this will happen:

July 18, 2023

How this affects your organization:

For customers currently using the “NetworkSignaturesInspected” action type, here is a list of signatures that will be deprecated, referenced alongside their alternatives available in Advanced Hunting: 

Protocol / Signature Name Old Action Type New Action Type
SSH NetworkSignatureInspected SshConnectionInspected
FTP_Upload NetworkSignatureInspected FtpConnectionInspected
FFP_Client NetworkSignatureInspected FtpConnectionInspected
HTTP_Client NetworkSignatureInspected HttpConnectionInspected
HTTP_Server NetworkSignatureInspected HttpConnectionInspected
HTTP_RequestBodyParameters NetworkSignatureInspected HttpConnectionInspected
HTTPS_Client NetworkSignatureInspected SslConnectionInspected
DNS_Request NetworkSignatureInspected DnsConnectionInspected

What you can do to prepare:

An example of your old query:

DeviceNetworkEvents  

| where ActionType == “NetworkSignatureInspected”

| extend AdditionalFields = todynamic(AdditionalFields)

| where AdditionalFields.SignatureName == “SSH”

Your new query:

DeviceNetworkEvents  

Your organization might be using a “NetworkSignatureInspected” action type in your Advanced Hunting queries and custom detections. Particularly, you might be using a Signature Name that is going to be deprecated soon. Please update your queries with the new action types so that you can leverage this valuable data and avoid breaking your current custom detections.

| where ActionType == “SshConnectionInspected”

Message ID: MC559251

No comments yet

Leave a Reply

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: