Adversaries may gather network adapter information to identify internal network structures and potential targets. SOC teams should proactively hunt for this behavior to detect reconnaissance activities that could lead to lateral movement or data exfiltration in Azure Sentinel.
KQL Query
let DeviceIdParam = "c0bfefec0bfefec0bfefec0bfefec0bfefecafe";
let pivotTimeParam = datetime(2018-07-15T19:51);
DeviceNetworkInfo
// Query for reports sent +-15 minutes around the time we are interested in
| where Timestamp between ((pivotTimeParam-15m) .. 30m) and DeviceId == DeviceIdParam and NetworkAdapterStatus == "Up"
// IPAddresses contains a list of the IP addresses configured on the network adapter, their subnets, and more.
// Here we expand the list so that each value gets a separate row. All the other columns in the row, such as MacAddress, are duplicated.
| mvexpand parse_json(IPAddresses)
| project IPAddress=IPAddresses.IPAddress, AddressType=IPAddresses.AddressType, NetworkAdapterType, TunnelType, MacAddress,
ConnectedNetworks, Timestamp, TimeDifference=abs(Timestamp-pivotTimeParam)
// In case multiple machines have reported from that IP address arround that time, start with the ones reporting closest to pivotTimeParam
| sort by TimeDifference asc, NetworkAdapterType, MacAddress
id: 86fb56b4-3a10-443b-8345-d00a45046d15
name: Network info of machine
description: |
Get information about the netwotk adapters of the given computer in the given time.
This could include the configured IP addresses, DHCP servers, DNS servers, and more.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkInfo
query: |
let DeviceIdParam = "c0bfefec0bfefec0bfefec0bfefec0bfefecafe";
let pivotTimeParam = datetime(2018-07-15T19:51);
DeviceNetworkInfo
// Query for reports sent +-15 minutes around the time we are interested in
| where Timestamp between ((pivotTimeParam-15m) .. 30m) and DeviceId == DeviceIdParam and NetworkAdapterStatus == "Up"
// IPAddresses contains a list of the IP addresses configured on the network adapter, their subnets, and more.
// Here we expand the list so that each value gets a separate row. All the other columns in the row, such as MacAddress, are duplicated.
| mvexpand parse_json(IPAddresses)
| project IPAddress=IPAddresses.IPAddress, AddressType=IPAddresses.AddressType, NetworkAdapterType, TunnelType, MacAddress,
ConnectedNetworks, Timestamp, TimeDifference=abs(Timestamp-pivotTimeParam)
// In case multiple machines have reported from that IP address arround that time, start with the ones reporting closest to pivotTimeParam
| sort by TimeDifference asc, NetworkAdapterType, MacAddress
Scenario: Scheduled System Update via Windows Server Update Services (WSUS)
Description: A scheduled job runs to update system patches, which may temporarily change network adapter configurations or DNS settings.
Filter/Exclusion: Exclude events related to wsus or update tasks using the ProcessName field (ProcessName != "wuauserv" or ProcessName != "svchost").
Scenario: DNS Server Configuration Change via PowerShell Script
Description: An administrator runs a PowerShell script to update DNS server settings on a domain controller or DNS server, which may trigger network adapter information retrieval.
Filter/Exclusion: Exclude events where ProcessName is powershell.exe and the command line includes dnscmd or Set-DnsServer.
Scenario: Network Adapter Configuration via Group Policy Preferences (GPP)
Description: A Group Policy Object (GPP) is applied that modifies network adapter settings, such as IP address or DNS configuration, which may trigger network information retrieval.
Filter/Exclusion: Exclude events where ProcessName is gpupdate.exe or gpmc.msc, or where the event description includes “Group Policy”.
Scenario: System Diagnostics Tool Usage (e.g., ipconfig, netsh, Get-NetAdapter)
Description: An administrator or automated tool runs a command-line utility like ipconfig or PowerShell cmdlet Get-NetAdapter to troubleshoot network issues.
Filter/Exclusion: Exclude events where ProcessName is cmd.exe, powershell.exe, or netsh.exe, and the command line includes ipconfig, netsh, or Get-NetAdapter.
Scenario: Virtual Machine Network Configuration via Hyper-V Manager
Description: