KQL Search

This query is designed to monitor and identify custom blocks from Microsoft Defender for Endpoint (MDE) indicators, specifically focusing on hashes, certificates, and URLs. Here's a simplified breakdown of what the query does:

1. Data Source: It starts by examining the DeviceEvents table, which contains various security-related events from devices.

2. Filter Conditions: The query looks for specific types of events:

   • Events where the ActionType is "SmartScreenUrlWarning" and the experience is categorized as "CustomBlockList".
   • Events where the ActionType is "AntivirusDetection" and the threat name includes "EUS:Win32/Custom".
   • Events where the ActionType is "ExploitGuardNetworkProtectionBlocked" and the response category is "CustomBlockList".

3. Join Operation: It performs a left outer join with the DeviceFileCertificateInfo table using the SHA1 hash. This means it attempts to match each event with corresponding certificate information, if available.

4. Summarization: Finally, it summarizes the results by grouping them based on several fields: FileName, RemoteUrl, DeviceName, Signer, InitiatingProcessAccountName, InitiatingProcessFileName, and SHA1. This helps in identifying unique instances of custom blocks along with relevant details like the file name, URL, device name, signer, and initiating process information.

In essence, the query is used to track and report on custom security blocks related to files, URLs, and certificates, providing a consolidated view of such events across devices.