alexverboon/DeviceNetworkEvents_Iana.kql

## DeviceNetworkEvents_Iana.kql
// Enrich DeviceNetworkEvents with the port number Servicename information
let iana_port_assignments = (externaldata(entry: string ) [@"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv"]
with (format="txt",ignoreFirstRecord=true))
//iana_port_assignments
// Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes
| extend data = parse_csv(entry)
| extend ServiceName = tostring(data[0])
| extend PortNumber = toint(data[1])
| project ServiceName, PortNumber
| summarize any(ServiceName) by PortNumber
| extend ServiceName = any_ServiceName;
iana_port_assignments
| join kind=rightouter (DeviceNetworkEvents
// | where DeviceName contains "DESKTOP-1234"
)
on $left. PortNumber ==  $right.RemotePort
| project-away any_ServiceName
| summarize EventCount=count() by PortNumber, ServiceName
| sort by PortNumber asc
	// Enrich DeviceNetworkEvents with the port number Servicename information
	let iana_port_assignments = (externaldata(entry: string ) [@"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv"]
	with (format="txt",ignoreFirstRecord=true))
	//iana_port_assignments
	// Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes
	\| extend data = parse_csv(entry)
	\| extend ServiceName = tostring(data[0])
	\| extend PortNumber = toint(data[1])
	\| project ServiceName, PortNumber
	\| summarize any(ServiceName) by PortNumber
	\| extend ServiceName = any_ServiceName;
	iana_port_assignments
	\| join kind=rightouter (DeviceNetworkEvents
	// \| where DeviceName contains "DESKTOP-1234"
	)
	on $left. PortNumber == $right.RemotePort
	\| project-away any_ServiceName
	\| summarize EventCount=count() by PortNumber, ServiceName
	\| sort by PortNumber asc