{"id":1661,"date":"2023-05-23T08:01:03","date_gmt":"2023-05-22T23:01:03","guid":{"rendered":"https:\/\/m365jp.xyz\/?p=1661"},"modified":"2023-05-23T08:04:39","modified_gmt":"2023-05-22T23:04:39","slug":"mc559251-update-your-custom-detections-to-leverage-new-actiontypes-in-devicenetworkevents","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2023-05-23-mc559251-update-your-custom-detections-to-leverage-new-actiontypes-in-devicenetworkevents","title":{"rendered":"MC559251 | Update your custom detections to leverage new ActionTypes in DeviceNetworkEvents"},"content":{"rendered":"
\n
\n
\n\n\n\n
MC559251 | Update your custom detections to leverage new ActionTypes in DeviceNetworkEvents<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\n\n\n\n\n\n\n
Classification<\/th>\nplanForChange<\/td>\n<\/tr>\n
Last Updated<\/th>\n05\/22\/2023 22:53:02<\/td>\n<\/tr>\n
Start Time<\/th>\n05\/22\/2023 22:52:16<\/td>\n<\/tr>\n
End Time<\/th>\n08\/31\/2023 07:00:00<\/td>\n<\/tr>\n
Message Content<\/th>\n\n

On July 18, 2023, Microsoft will be retiring a subset of signatures found in the “NetworkSignaturesInspected” action type of Advanced Hunting. With the recent integration of Zeek providing advanced protocol parsing capabilities, which result in better visibility into full network sessions compared to the raw packet bytes found in the “NetworkSignaturesInspected” action type of Advanced Hunting today, the effort to consolidate will provide a better overall experience for our customers by reducing the signatures that serve similar functions without the added benefits provided by the new Zeek alternative.<\/p>\n

[When this will happen:]<\/p>\n

July 18, 2023<\/p>\n

[How this affects your organization:]<\/p>\n

For customers currently using the “NetworkSignaturesInspected” action type, here is a list of signatures that will be deprecated, referenced alongside their alternatives available in Advanced Hunting: <\/p>\n

<\/p>\n <\/p>\n\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n\n
Protocol \/ Signature Name<\/th>\n

<\/p>\n

Old Action Type<\/th>\n

<\/p>\n

New Action Type<\/th>\n

<\/tr>\n

<\/p>\n

SSH<\/td>\n

<\/p>\n

NetworkSignatureInspected<\/td>\n

<\/p>\n

SshConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

FTP_Upload<\/td>\n

<\/p>\n

NetworkSignatureInspected<\/td>\n

<\/p>\n

FtpConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

FFP_Client<\/td>\n

<\/p>\n

NetworkSignatureInspected<\/td>\n

<\/p>\n

FtpConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

HTTP_Client<\/td>\n

<\/p>\n

NetworkSignatureInspected<\/td>\n

<\/p>\n

HttpConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

HTTP_Server<\/td>\n

<\/p>\n

NetworkSignatureInspected<\/td>\n

<\/p>\n

HttpConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

HTTP_RequestBodyParameters<\/td>\n

<\/p>\n

NetworkSignatureInspected<\/td>\n

<\/p>\n

HttpConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

HTTPS_Client<\/td>\n

<\/p>\n

NetworkSignatureInspected<\/td>\n

<\/p>\n

SslConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

DNS_Request<\/td>\n

<\/p>\n

NetworkSignatureInspected<\/td>\n

<\/p>\n

DnsConnectionInspected<\/td>\n

<\/tr>\n

<\/tbody>\n<\/table>\n

<\/p>\n

[What you can do to prepare:]<\/p>\n

Your organization might be using a “NetworkSignatureInspected” action type in your Advanced Hunting queries and custom detections. Particularly, you might be using a Signature Name that is going to be deprecated soon. Please update your queries with the new action types so that you can leverage this valuable data and avoid breaking your current custom detections. <\/p>\n

An example of your old query: <\/p>\n

DeviceNetworkEvents   <\/p>\n

| where ActionType == “NetworkSignatureInspected” <\/p>\n

| extend AdditionalFields = todynamic(AdditionalFields) <\/p>\n

| where AdditionalFields.SignatureName == “SSH” <\/p>\n

Your new query: <\/p>\n

DeviceNetworkEvents   <\/p>\n

| where ActionType == “SshConnectionInspected” <\/p>\n<\/td>\n<\/tr>\n

Machine Translation<\/th>\n\n

2023 \u5e74 7 \u6708 18 \u65e5\u306b\u3001Microsoft \u306f\u9ad8\u5ea6\u306a\u30cf\u30f3\u30c6\u30a3\u30f3\u30b0\u306e “\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f” \u30a2\u30af\u30b7\u30e7\u30f3\u306e\u7a2e\u985e\u3067\u898b\u3064\u304b\u3063\u305f\u7f72\u540d\u306e\u30b5\u30d6\u30bb\u30c3\u30c8\u3092\u5ec3\u6b62\u3057\u307e\u3059\u3002\u9ad8\u5ea6\u306a\u30d7\u30ed\u30c8\u30b3\u30eb\u89e3\u6790\u6a5f\u80fd\u3092\u63d0\u4f9b\u3059\u308bZeek\u306e\u6700\u8fd1\u306e\u7d71\u5408\u306b\u3088\u308a\u3001\u4eca\u65e5\u306e\u9ad8\u5ea6\u306a\u30cf\u30f3\u30c6\u30a3\u30f3\u30b0\u306e\u300cNetworkSignaturesInspected\u300d\u30a2\u30af\u30b7\u30e7\u30f3\u30bf\u30a4\u30d7\u306b\u898b\u3089\u308c\u308b\u751f\u306e\u30d1\u30b1\u30c3\u30c8\u30d0\u30a4\u30c8\u3068\u6bd4\u8f03\u3057\u3066\u3001\u5b8c\u5168\u306a\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30bb\u30c3\u30b7\u30e7\u30f3\u306e\u53ef\u8996\u6027\u304c\u5411\u4e0a\u3057\u3001\u7d71\u5408\u306e\u53d6\u308a\u7d44\u307f\u306b\u3088\u308a\u3001\u65b0\u3057\u3044Zeek\u306e\u4ee3\u66ff\u306b\u3088\u3063\u3066\u63d0\u4f9b\u3055\u308c\u308b\u8ffd\u52a0\u306e\u5229\u70b9\u306a\u3057\u306b\u3001\u540c\u69d8\u306e\u6a5f\u80fd\u3092\u63d0\u4f9b\u3059\u308b\u30b7\u30b0\u30cd\u30c1\u30e3\u3092\u6e1b\u3089\u3059\u3053\u3068\u306b\u3088\u308a\u3001\u304a\u5ba2\u69d8\u306b\u5168\u4f53\u7684\u306a\u30a8\u30af\u30b9\u30da\u30ea\u30a8\u30f3\u30b9\u304c\u5411\u4e0a\u3057\u307e\u3059\u3002<\/p>\n

[\u3053\u308c\u304c\u8d77\u3053\u308b\u3068\u304d:]<\/p>\n

2023\u5e747\u670818\u65e5<\/p>\n

[\u3053\u308c\u304c\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff:]<\/p>\n

\u73fe\u5728 “NetworkSignaturesInspected” \u30a2\u30af\u30b7\u30e7\u30f3\u306e\u7a2e\u985e\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u304a\u5ba2\u69d8\u306e\u5834\u5408\u306f\u3001\u975e\u63a8\u5968\u306b\u306a\u308b\u7f72\u540d\u306e\u4e00\u89a7\u3092\u6b21\u306b\u793a\u3057\u307e\u3059\u3002 <\/p>\n

<\/p>\n <\/p>\n\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n
\u30d7\u30ed\u30c8\u30b3\u30eb\/\u7f72\u540d\u540d<\/th>\n\u53e4\u3044<\/th>\n

\u30a2\u30af\u30b7\u30e7\u30f3\u306e\u7a2e\u985e <\/p>\n

\u65b0\u3057\u3044\u30a2\u30af\u30b7\u30e7\u30f3\u306e\u7a2e\u985e<\/th>\n

<\/tr>\n

<\/p>\n

\u30c6\u30a3\u30c3\u30ab\u30fc<\/td>\n

<\/p>\n

\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f<\/td>\n

<\/p>\n

Ssh\u63a5\u7d9a\u691c\u67fb\u6e08\u307f<\/td>\n

<\/tr>\n

<\/p>\n

FTP_Upload<\/td>\n

<\/p>\n

\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f<\/td>\n

<\/p>\n

Ftp\u63a5\u7d9a\u691c\u67fb\u6e08\u307f<\/td>\n

<\/tr>\n

<\/p>\n

FFP_Client<\/td>\n

<\/p>\n

\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f<\/td>\n

<\/p>\n

Ftp\u63a5\u7d9a\u691c\u67fb\u6e08\u307f<\/td>\n

<\/tr>\n

<\/p>\n

HTTP_Client<\/td>\n

<\/p>\n

\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f<\/td>\n

<\/p>\n

HttpConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

HTTP_Server<\/td>\n

<\/p>\n

\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f<\/td>\n

<\/p>\n

HttpConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

HTTP_RequestBodyParameters<\/td>\n

<\/p>\n

\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f<\/td>\n

<\/p>\n

HttpConnectionInspected<\/td>\n

<\/tr>\n

<\/p>\n

HTTPS_Client<\/td>\n

<\/p>\n

\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f<\/td>\n

<\/p>\n

Ssl\u63a5\u7d9a\u691c\u67fb\u6e08\u307f<\/td>\n

<\/tr>\n

<\/p>\n

DNS_Request<\/td>\n

<\/p>\n

\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f<\/td>\n

<\/p>\n

Dns\u63a5\u7d9a\u691c\u67fb\u6e08\u307f<\/td>\n

<\/tr>\n

<\/tbody>\n<\/table>\n

<\/p>\n

\u3010\u6e96\u5099\u3067\u304d\u308b\u3053\u3068:\u3011<\/p>\n

\u7d44\u7e54\u3067\u306f\u3001\u9ad8\u5ea6\u306a\u30cf\u30f3\u30c6\u30a3\u30f3\u30b0 \u30af\u30a8\u30ea\u3068\u30ab\u30b9\u30bf\u30e0\u691c\u51fa\u3067 “\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7f72\u540d\u691c\u67fb\u6e08\u307f” \u30a2\u30af\u30b7\u30e7\u30f3\u306e\u7a2e\u985e\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u7279\u306b\u3001\u307e\u3082\u306a\u304f\u5ec3\u6b62\u3055\u308c\u308b\u7f72\u540d\u540d\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u306e\u8cb4\u91cd\u306a\u30c7\u30fc\u30bf\u3092\u6d3b\u7528\u3057\u3001\u73fe\u5728\u306e\u30ab\u30b9\u30bf\u30e0\u691c\u51fa\u3092\u58ca\u3055\u306a\u3044\u3088\u3046\u306b\u3001\u65b0\u3057\u3044\u30a2\u30af\u30b7\u30e7\u30f3\u306e\u7a2e\u985e\u3067\u30af\u30a8\u30ea\u3092\u66f4\u65b0\u3057\u3066\u304f\u3060\u3055\u3044\u3002 <\/p>\n

\u53e4\u3044\u30af\u30a8\u30ea\u306e\u4f8b: <\/p>\n

\u30c7\u30d0\u30a4\u30b9 \u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30a4\u30d9\u30f3\u30c8   <\/p>\n

|\u3053\u3053\u3067\u3001ActionType == “NetworkSignatureInspected” <\/p>\n

|\u62e1\u5f35\u8ffd\u52a0\u30d5\u30a3\u30fc\u30eb\u30c9 = \u52d5\u7684(\u8ffd\u52a0\u30d5\u30a3\u30fc\u30eb\u30c9) <\/p>\n

|\u3053\u3053\u3067\u3001AdditionalFields.SignatureName == “SSH” <\/p>\n

\u65b0\u3057\u3044\u30af\u30a8\u30ea: <\/p>\n

\u30c7\u30d0\u30a4\u30b9 \u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30a4\u30d9\u30f3\u30c8   <\/p>\n

|\u3053\u3053\u3067\u3001ActionType == “SshConnectionInspected” <\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

MC559251 | Update your custom detections to leverage new ActionTypes in DeviceNetworkEvents Classification pla […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1661","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/1661","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=1661"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/1661\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=1661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=1661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=1661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}