alexverboon · October 25, 2020 11:02
diff --git a/DeviceNetworkInfo.kql b/DeviceNetworkInfo.kql
 // Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc. 
 DeviceNetworkInfo 
 | where Timestamp > ago (30d)
 // | where DeviceName contains "ADD YOUR COMPUTERNAME HERE"
 | where NetworkAdapterStatus contains "Up"
 | extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name)
 | extend Description = tostring(parse_json(ConnectedNetworks)[0].Description)
 | extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet)
 | extend Category = tostring(parse_json(ConnectedNetworks)[0].Category)
 | extend Dns1 = tostring(parse_json(DnsAddresses)[0])
 | extend Dns2 = tostring(parse_json(DnsAddresses)[1])
 | mv-expand  todynamic(IPAddresses)
 | extend IPAddress = tostring(parse_json(IPAddresses).IPAddress)
 | extend IPVersion = iff(extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,IPAddress) == IPAddress, "IPv4","IPv6")
 | extend SubnetPrefix = tostring(parse_json(IPAddresses).SubnetPrefix)
 | extend AddressType = tostring(parse_json(IPAddresses).AddressType)
 | where NetworkAdapterType == "Wireless80211"
 | project Timestamp, DeviceName, NetworkAdapterStatus, NetworkName, Description, IsConnectedToInternet, Category, Dns1, Dns2, IPAddress, IPVersion, AddressType, SubnetPrefix
 // | where NetworkAdapterType == "Ethernet"
 // | where IsConnectedToInternet contains "true"
 // | summarize count() by NetworkName
 // | summarize count() by NetworkAdapterType
 // | summarize count() by Dns1, NetworkName
 // | summarize count() by Dns2, NetworkName
 // | summarize count() by AddressType, NetworkName
 // | summarize count() by IPAddress, NetworkName
 // | summarize count() by Category, IPAddress, NetworkName
 // | summarize count() by MacAddress, NetworkAdapterName, NetworkAdapterType, Description
 // | summarize count() by Description
 // | summarize count() by IPv4Dhcp,Dns1, NetworkName
	// Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc.
	DeviceNetworkInfo
	\| where Timestamp > ago (30d)
	// \| where DeviceName contains "ADD YOUR COMPUTERNAME HERE"
	\| where NetworkAdapterStatus contains "Up"
	\| extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name)
	\| extend Description = tostring(parse_json(ConnectedNetworks)[0].Description)
	\| extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet)
	\| extend Category = tostring(parse_json(ConnectedNetworks)[0].Category)
	\| extend Dns1 = tostring(parse_json(DnsAddresses)[0])
	\| extend Dns2 = tostring(parse_json(DnsAddresses)[1])
	\| mv-expand todynamic(IPAddresses)
	\| extend IPAddress = tostring(parse_json(IPAddresses).IPAddress)
	\| extend IPVersion = iff(extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,IPAddress) == IPAddress, "IPv4","IPv6")
	\| extend SubnetPrefix = tostring(parse_json(IPAddresses).SubnetPrefix)
	\| extend AddressType = tostring(parse_json(IPAddresses).AddressType)
	\| where NetworkAdapterType == "Wireless80211"
	\| project Timestamp, DeviceName, NetworkAdapterStatus, NetworkName, Description, IsConnectedToInternet, Category, Dns1, Dns2, IPAddress, IPVersion, AddressType, SubnetPrefix
	// \| where NetworkAdapterType == "Ethernet"
	// \| where IsConnectedToInternet contains "true"
	// \| summarize count() by NetworkName
	// \| summarize count() by NetworkAdapterType
	// \| summarize count() by Dns1, NetworkName
	// \| summarize count() by Dns2, NetworkName
	// \| summarize count() by AddressType, NetworkName
	// \| summarize count() by IPAddress, NetworkName
	// \| summarize count() by Category, IPAddress, NetworkName
	// \| summarize count() by MacAddress, NetworkAdapterName, NetworkAdapterType, Description
	// \| summarize count() by Description
	// \| summarize count() by IPv4Dhcp,Dns1, NetworkName