KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Unusual Network Adapter Vendor

Query

let query_frequency = 1h;
let query_period = 14d;
DeviceNetworkInfo
| where TimeGenerated > ago(query_period)
| where isnotempty(DeviceName) and not(NetworkAdapterStatus == "Unknown")
// | where not(NetworkAdapterType in ("Wwanpp", "Wireless80211"))
| where isnotempty(NetworkAdapterVendor) // VMware, Inc.  PCS Systemtechnik GmbH
| summarize arg_min(TimeGenerated, *) by DeviceId, NetworkAdapterType, NetworkAdapterVendor
| join kind=inner (
    DeviceInfo
    | where TimeGenerated > ago(query_period)
    | where isempty(MergedToDeviceId) and isnotempty(JoinType)
    | summarize arg_max(TimeGenerated, *) by DeviceId
    | project-away TimeGenerated
    ) on DeviceId
| project-away *1
| as _Auxiliar
| summarize arg_min(TimeGenerated, *) by JoinType, OSPlatform, NetworkAdapterType, NetworkAdapterVendor
| where TimeGenerated > ago(query_frequency)
| join kind=rightsemi _Auxiliar on JoinType, OSPlatform, NetworkAdapterType, NetworkAdapterVendor
| project
    TimeGenerated,
    DeviceName,
    OSPlatform,
    NetworkAdapterType,
    NetworkAdapterVendor,
    JoinType,
    PublicIP,
    IPAddresses,
    LoggedOnUsers,
    DeviceType,
    OnboardingStatus,
    DeviceId,
    AadDeviceId,
    CloudPlatforms,
    AzureResourceId,
    AwsResourceName,
    GcpFullResourceName,
    MergedDeviceIds

Explanation

This query is designed to analyze network adapter information from devices over a specified period and frequency. Here's a simplified breakdown of what the query does:

  1. Define Parameters:

    • query_frequency is set to 1 hour, meaning the results will focus on data from the last hour.
    • query_period is set to 14 days, meaning the query will consider data from the last 14 days.

  2. Filter Device Network Information:

    • It retrieves data from the DeviceNetworkInfo table where the data is from the last 14 days.
    • It ensures that the DeviceName is not empty and the NetworkAdapterStatus is not "Unknown".
    • It checks that the NetworkAdapterVendor is not empty.

  3. Summarize Network Adapter Data:

    • It summarizes the earliest (arg_min) network adapter data for each device by DeviceId, NetworkAdapterType, and NetworkAdapterVendor.

  4. Join with Device Information:

    • It joins the summarized network adapter data with the DeviceInfo table to get additional device details.
    • The join is based on DeviceId and only includes devices that have not been merged (isempty(MergedToDeviceId)) and have a non-empty JoinType.

  5. Further Summarization:

    • It further summarizes the data by JoinType, OSPlatform, NetworkAdapterType, and NetworkAdapterVendor, focusing on the earliest records.

  6. Filter by Recent Data:

    • It filters the summarized data to include only records from the last hour.

  7. Final Join and Projection:

    • It performs a right semi-join with the auxiliary data to ensure only relevant records are included.
    • Finally, it selects specific fields to display in the output, such as TimeGenerated, DeviceName, OSPlatform, NetworkAdapterType, NetworkAdapterVendor, and other device-related details.

Overall, this query is used to analyze and report on the network adapter configurations and statuses of devices within a specified time frame, focusing on recent changes or configurations.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 24, 2026

Tables

DeviceNetworkInfoDeviceInfo

Keywords

DeviceNetworkInfoDeviceInfo

Operators

letagowhereisnotemptynotinsummarizearg_minjoinkindproject-awayasarg_maxisemptyprojectrightsemi

Actions