Device Network Events Uncommon Process Connection To Suspicious Domain
Query
let query_frequency = 1h;
let query_period = 14d;
let suspicious_domains = dynamic([
@"d\d[a-z0-9]{12}\.cloudfront\.net",
@"[\-\w]+\-[a-f0-9]{3,5}\.kxcdn\.com",
@"[\-\w]+\-[a-z0-9]{16}\.\w\d\d\.azurefd\.net",
@"[\-\w]+\.[a-z0-9]+\.cloudapp\.azure\.com",
@"portswigger\.net",
@"oastify\.com",
@"whatismyip\.com",
@"whatismyip\.net",
@"whatismyipaddress\.com"
]);
let excluded_company_names = dynamic([]);
let excluded_original_names = dynamic([]);
DeviceNetworkEvents
| where Timestamp > ago(query_period)
| where RemoteUrl matches regex strcat_array(suspicious_domains, "|") // and not(InitiatingProcessAccountSid in ("S-1-5-18", "S-1-5-20"))
| where isnotempty(InitiatingProcessFileName)
| summarize
StartTime = arg_min(Timestamp, *),
EndTime = max(Timestamp),
DeviceNamesSample = array_sort_asc(make_set(DeviceName, 100)),
RemoteUrlsSample = array_sort_asc(make_set(RemoteUrl, 100))
by InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoFileDescription
| where StartTime > ago(query_frequency)
| invoke FileProfile("InitiatingProcessSHA1", 1000)
| where not(GlobalPrevalence > 10000)
| where not(GlobalPrevalence > 1000 and GlobalFirstSeen < ago(query_frequency) and SignatureState == "SignedValid")
| where not(GlobalPrevalence > 500 and InitiatingProcessVersionInfoCompanyName in (excluded_company_names) and InitiatingProcessVersionInfoOriginalFileName in (excluded_original_names))
| project
StartTime,
EndTime,
DeviceNamesSample,
RemoteUrlsSample,
Timestamp = StartTime,
DeviceId,
DeviceName,
LocalIP,
ActionType,
RemoteIP,
RemotePort,
RemoteUrl,
Protocol,
InitiatingProcessAccountName,
InitiatingProcessAccountSid,
InitiatingProcessAccountUpn,
InitiatingProcessAccountObjectId,
InitiatingProcessSHA1,
InitiatingProcessSHA256,
InitiatingProcessMD5,
InitiatingProcessFileName,
InitiatingProcessFolderPath,
InitiatingProcessCommandLine,
InitiatingProcessCreationTime,
IsInitiatingProcessRemoteSession,
InitiatingProcessParentFileName,
InitiatingProcessVersionInfoCompanyName,
InitiatingProcessVersionInfoProductName,
InitiatingProcessVersionInfoOriginalFileName,
InitiatingProcessVersionInfoInternalFileName,
InitiatingProcessVersionInfoFileDescription,
InitiatingProcessVersionInfoProductVersion,
GlobalPrevalence,
GlobalFirstSeen,
GlobalLastSeen,
SignatureState,
ReportIdExplanation
This query is designed to identify potentially suspicious network activity on devices by examining network events over a specified period. Here's a simplified breakdown of what the query does:
-
Time Frame: It looks at network events from the last 14 days (
query_period) but focuses on events that started within the last hour (query_frequency). -
Suspicious Domains: It checks if the network events involve URLs that match a list of predefined suspicious domain patterns, such as certain cloud service URLs and known suspicious domains like "portswigger.net" and "whatismyip.com".
-
Data Filtering:
- It ensures that the initiating process (the process that started the network event) has a non-empty file name.
- It excludes events based on certain conditions related to the prevalence and signature state of the initiating process.
-
Data Summarization:
- It summarizes the events by capturing the earliest and latest timestamps, and samples of device names and remote URLs involved.
- It groups the data by various attributes of the initiating process, such as company name, product name, and file description.
-
File Profiling: It uses a function to profile the initiating process based on its SHA1 hash, considering up to 1000 entries.
-
Exclusions:
- It excludes events where the initiating process is very common globally (high prevalence).
- It also excludes events based on company names and original file names if they are in the excluded lists (though these lists are empty in this query).
-
Output: The query projects a comprehensive set of details about each event, including timestamps, device and network details, process information, and global prevalence data.
Overall, this query is used to detect and analyze network events that might indicate suspicious activity, focusing on uncommon or less prevalent processes interacting with known suspicious domains.
Details

Jose Sebastián Canós
Released: July 13, 2026
Tables
Keywords
Operators