alexverboon/DeviceNetworkInfo.kql

## DeviceNetworkInfo.kql
// Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc.
DeviceNetworkInfo
| where Timestamp > ago (30d)
// | where DeviceName contains "ADD YOUR COMPUTERNAME HERE"
| where NetworkAdapterStatus contains "Up"
| extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name)
| extend Description = tostring(parse_json(ConnectedNetworks)[0].Description)
| extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet)
| extend Category = tostring(parse_json(ConnectedNetworks)[0].Category)
| extend Dns1 = tostring(parse_json(DnsAddresses)[0])
| extend Dns2 = tostring(parse_json(DnsAddresses)[1])
| mv-expand  todynamic(IPAddresses)
| extend IPAddress = tostring(parse_json(IPAddresses).IPAddress)
| extend IPVersion = iff(extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,IPAddress) == IPAddress, "IPv4","IPv6")
| extend SubnetPrefix = tostring(parse_json(IPAddresses).SubnetPrefix)
| extend AddressType = tostring(parse_json(IPAddresses).AddressType)
| where NetworkAdapterType == "Wireless80211"
| project Timestamp, DeviceName, NetworkAdapterStatus, NetworkName, Description, IsConnectedToInternet, Category, Dns1, Dns2, IPAddress, IPVersion, AddressType, SubnetPrefix
// | where NetworkAdapterType == "Ethernet"
// | where IsConnectedToInternet contains "true"
// | summarize count() by NetworkName
// | summarize count() by NetworkAdapterType
// | summarize count() by Dns1, NetworkName
// | summarize count() by Dns2, NetworkName
// | summarize count() by AddressType, NetworkName
// | summarize count() by IPAddress, NetworkName
// | summarize count() by Category, IPAddress, NetworkName
// | summarize count() by MacAddress, NetworkAdapterName, NetworkAdapterType, Description
// | summarize count() by Description
 // | summarize count() by IPv4Dhcp,Dns1, NetworkName
	// Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc.
	DeviceNetworkInfo
	\| where Timestamp > ago (30d)
	// \| where DeviceName contains "ADD YOUR COMPUTERNAME HERE"
	\| where NetworkAdapterStatus contains "Up"
	\| extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name)
	\| extend Description = tostring(parse_json(ConnectedNetworks)[0].Description)
	\| extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet)
	\| extend Category = tostring(parse_json(ConnectedNetworks)[0].Category)
	\| extend Dns1 = tostring(parse_json(DnsAddresses)[0])
	\| extend Dns2 = tostring(parse_json(DnsAddresses)[1])
	\| mv-expand todynamic(IPAddresses)
	\| extend IPAddress = tostring(parse_json(IPAddresses).IPAddress)
	\| extend IPVersion = iff(extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,IPAddress) == IPAddress, "IPv4","IPv6")
	\| extend SubnetPrefix = tostring(parse_json(IPAddresses).SubnetPrefix)
	\| extend AddressType = tostring(parse_json(IPAddresses).AddressType)
	\| where NetworkAdapterType == "Wireless80211"
	\| project Timestamp, DeviceName, NetworkAdapterStatus, NetworkName, Description, IsConnectedToInternet, Category, Dns1, Dns2, IPAddress, IPVersion, AddressType, SubnetPrefix
	// \| where NetworkAdapterType == "Ethernet"
	// \| where IsConnectedToInternet contains "true"
	// \| summarize count() by NetworkName
	// \| summarize count() by NetworkAdapterType
	// \| summarize count() by Dns1, NetworkName
	// \| summarize count() by Dns2, NetworkName
	// \| summarize count() by AddressType, NetworkName
	// \| summarize count() by IPAddress, NetworkName
	// \| summarize count() by Category, IPAddress, NetworkName
	// \| summarize count() by MacAddress, NetworkAdapterName, NetworkAdapterType, Description
	// \| summarize count() by Description
	// \| summarize count() by IPv4Dhcp,Dns1, NetworkName