Inboundnetworkevents

Definition

`InboundNetworkEvents` is a KC7 data table that shows incoming web traffic to a company’s servers. When you visit a website, your device sends a request to the server asking for a page or file. The server receives that request, processes it, and returns a response. While this happens, the server keeps a record of important details about the request. This record becomes part of the data that analysts can review later.

In real organizations, web servers and security tools collect similar information to help defenders monitor activity, troubleshoot problems, and detect possible attacks.

| Field           | What it means in simple terms                                                                                       |
| --------------- | ------------------------------------------------------------------------------------------------------------------- |
| **timestamp**   | The exact date and time the request happened                                                                        |
| **method**      | The type of request, such as GET to load a page or POST to submit a form                                            |
| **src_ip**      | The IP address of the device that made the request. This shows where the traffic came from                          |
| **user_agent**  | Information about the browser or tool making the request. This helps identify normal users versus automated scripts |
| **url**         | The specific webpage or resource the device tried to access                                                         |
| **referrer**    | The page the user came from or the source that directed the traffic                                                 |
| **status_code** | The server’s response. For example: 200 means success. 404 means the page does not exist                            |

**What defenders learn from this table**

* Which outside systems are connecting to company resources
* Whether a request looks like a person using a normal browser or an automated attacker tool
* When someone is searching for files and pages that do not exist, which can signal reconnaissance
* How often errors or suspicious behavior occur

**Example query**

```
InboundNetworkEvents
| where status_code == 404
| summarize count() by src_ip
```

This helps find external systems scanning for missing pages. Attackers often do this to discover hidden admin panels or vulnerable software.

Inboundnetworkevents

Definition

Explore More Terms