Network Session Essentials (Preview)
Solution: Network Session Essentials
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.11 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-11-11 |
| Last Updated | 2026-03-27 |
| Solution Folder | Network Session Essentials |
| Marketplace | Azure Marketplace · Popularity: 🟢 High (84%) |
| Pre-requisites | Amazon Web Services, Azure Firewall, Azure Network Security Groups, Check Point, CiscoASA, CiscoMeraki, Corelight, Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel, IoTOTThreatMonitoringwithDefenderforIoT, Microsoft Defender for Cloud, Microsoft Sysmon For Linux, Windows Firewall, PaloAlto-PAN-OS, Vectra AI Stream, Watchguard Firebox, zscaler1579058425289.zscaler_internet_access_mss, IllumioSaaS |
Network Session Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.
For details on the required solutions, see the Pre-requisites section below.
Recommendation :-
It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.
Additional Information
- 📖 Related Documentation: ASIM-based domain solutions overview - Uses ASIM Network Session schema for cross-product threat detection
- 📖 Related Documentation: ASIM Network Session schema reference - Field definitions for normalized network logs
Contents
Pre-requisites
This solution depends on 16 other solution(s):
Data Connectors
This solution does not include its own data connectors but uses connectors from dependency solutions:
- AI Vectra Stream via Legacy Agent (dependency on Vectra AI Stream)
- Amazon Web Services (dependency on Amazon Web Services)
- Amazon Web Services S3 (dependency on Amazon Web Services)
- Amazon Web Services S3 WAF (dependency on Amazon Web Services)
- Azure Firewall (dependency on Azure Firewall)
- Network Security Groups (dependency on Azure Network Security Groups)
- Subscription-based Microsoft Defender for Cloud (Legacy) (dependency on Microsoft Defender for Cloud)
- Cisco ASA via Legacy Agent (dependency on CiscoASA)
- Cisco ASA/FTD via AMA (dependency on CiscoASA)
- [Deprecated] Cisco Meraki (dependency on CiscoMeraki)
- Cisco Meraki (using REST API) (dependency on CiscoMeraki)
- Cisco Meraki (using REST API) (dependency on CiscoMeraki)
- Corelight Connector Exporter (dependency on Corelight)
- [Deprecated] Fortinet via Legacy Agent (dependency on Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel)
- [Deprecated] Fortinet via AMA (dependency on Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel)
- Illumio SaaS (dependency on IllumioSaaS)
- Illumio Saas (dependency on IllumioSaaS)
- Microsoft Defender for IoT (dependency on IoTOTThreatMonitoringwithDefenderforIoT)
- Tenant-based Microsoft Defender for Cloud (dependency on Microsoft Defender for Cloud)
- [Deprecated] Microsoft Sysmon For Linux (dependency on Microsoft Sysmon For Linux)
- [Deprecated] Palo Alto Networks (Firewall) via Legacy Agent (dependency on PaloAlto-PAN-OS)
- [Deprecated] Palo Alto Networks (Firewall) via AMA (dependency on PaloAlto-PAN-OS)
- [Recommended] Vectra AI Stream via AMA (dependency on Vectra AI Stream)
- [Deprecated] WatchGuard Firebox (dependency on Watchguard Firebox)
- Windows Firewall (dependency on Windows Firewall)
- Windows Firewall Events via AMA (dependency on Windows Firewall)
Tables Used
This solution queries 10 table(s) from its content items:
| Table | Used By Content |
|---|---|
NetworkSummary_Country_CL |
Workbooks |
NetworkSummary_IP_CL |
Workbooks |
NetworkSummary_Protocol_CL |
Analytics, Hunting, Workbooks |
NetworkSummary_Result_CL |
Workbooks |
NetworkSummary_Rule_CL |
Workbooks |
NetworkSummary_SourceInfo_CL |
Workbooks |
NetworkSummary_Source_Port_CL |
Workbooks |
NetworkSummary_Threat_CL |
Workbooks |
NetworkSummary_Threat_IOC_CL |
Workbooks |
ThreatIntelligenceIndicator |
Workbooks |
Internal Tables
The following 11 table(s) are used internally by this solution's content items:
| Table | Used By Content |
|---|---|
Anomalies |
Analytics, Hunting |
NetworkCustomAnalytics_CL |
Playbooks (writes), Workbooks |
NetworkCustomAnalytics_country_CL |
Playbooks (writes), Workbooks |
NetworkCustomAnalytics_ip_CL |
Playbooks (writes), Workbooks |
NetworkCustomAnalytics_protocol_CL |
Analytics, Hunting, Playbooks (writes), Workbooks |
NetworkCustomAnalytics_rule_CL |
Playbooks (writes), Workbooks |
NetworkCustomAnalytics_sourceInfo_CL |
Playbooks (writes), Workbooks |
NetworkCustomAnalytics_source_port_CL |
Playbooks (writes), Workbooks |
NetworkCustomAnalytics_threat_CL |
Playbooks (writes), Workbooks |
NetworkCustomAnalytics_threat_ioc_CL |
Playbooks (writes), Workbooks |
SecurityAlert |
Workbooks |
Content Items
This solution includes 38 content item(s):
| Content Type | Count |
|---|---|
| Summary Rule | 18 |
| Analytic Rules | 9 |
| Hunting Queries | 7 |
| Workbooks | 2 |
| Playbooks | 1 |
| Watchlists | 1 |
Analytic Rules
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Detect Outbound LDAP Traffic(ASIM Network Session schema) | InitialAccess, Execution | - |
| Detect port misuse by anomaly (ASIM Network Session schema) | CommandAndControl, InitialAccess, Execution | NetworkSummary_Protocol_CLInternal use: AnomaliesNetworkCustomAnalytics_protocol_CL |
| Detect port misuse by static threshold (ASIM Network Session schema) | CommandAndControl, InitialAccess, Execution | NetworkSummary_Protocol_CLInternal use: NetworkCustomAnalytics_protocol_CL |
| Detects several users with the same MAC address (ASIM Network Session schema) | InitialAccess | - |
| Mismatch between Destination App name and Destination Port (ASIM Network Session schema) | Discovery | - |
| Protocols passing authentication in cleartext (ASIM Network Session schema) | CommandAndControl | - |
| Remote Desktop Network Traffic(ASIM Network Session schema) | LateralMovement | - |
Workbooks
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Summarize Data for Network Session Essentials | This playbook summarizes data for Network Session Essentials and lands it into custom tables. | Internal use:NetworkCustomAnalytics_CL (read/write)NetworkCustomAnalytics_country_CL (read/write)NetworkCustomAnalytics_ip_CL (read/write)NetworkCustomAnalytics_protocol_CL (read/write)NetworkCustomAnalytics_rule_CL (read/write)NetworkCustomAnalytics_sourceInfo_CL (read/write)NetworkCustomAnalytics_source_port_CL (read/write)NetworkCustomAnalytics_threat_CL (read/write)NetworkCustomAnalytics_threat_ioc_CL (read/write) |
Watchlists
| Name | Description | Tables Used |
|---|---|---|
| NetworkSession_Monitor_Configuration | - | - |
Summary Rule
| Name | Description | Tables Used |
|---|---|---|
| NetworkSummary_Country | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Country | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_IP | 'This summary rule aggregates network session data using the ASIM normalized _Im_NetworkSession func... | - |
| NetworkSummary_IP | 'This summary rule aggregates network session data using the ASIM normalized _Im_NetworkSession func... | - |
| NetworkSummary_Protocol | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Protocol | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Result | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Result | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Rule | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Rule | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_SourceInfo | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_SourceInfo | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Source_Port | 'This summary rule aggregates network session data using the ASIM normalized _Im_NetworkSession func... | - |
| NetworkSummary_Source_Port | 'This summary rule aggregates network session data using the ASIM normalized _Im_NetworkSession func... | - |
| NetworkSummary_Threat | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Threat | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Threat_IOC | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
| NetworkSummary_Threat_IOC | 'This summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSessi... | - |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.11 | 24-03-2026 | Bump solution version and Updated links to remove review.learn. |
| 3.0.10 | 14-02-2026 | Updated links to remove review.learn. |
| 3.0.9 | 06-02-2026 | Updated the relevant techniques in the hunting queries. |
| 3.0.8 | 23-09-2025 | Removed duplicate and redundant query blocks that previously handled different eps ranges, reducing code complexity and improving maintainability. |
| 3.0.7 | 4-07-2025 | Summary rules added and updated requiredDataConnectors. |
| 3.0.6 | 15-04-2025 | Updated Analytic Rule NetworkPortSweepFromExternalNetwork. |
| 3.0.5 | 12-12-2024 | Added IllumioSaaS solution in a domain solution list |
| 3.0.4 | 03-06-2024 | Added missing AMA Data Connector reference in Analytical rule and Hunting Query. |
| 3.0.3 | 12-03-2024 | Added 3 new Hunting Queries and 2 new Analytic Rules. |
| 3.0.2 | 07-02-2024 | Updated Analytic Rule (DetectPortMisuseByAnomalyBasedDetection). Updated Solution description. |
| 3.0.1 | 02-01-2024 | Tagged for dependent solutions for deployment. |
| 3.0.0 | 24-07-2023 | Updated ApiVersion for Watchlist. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊