Exploit Guard Network Protection Triggered
Exploit Guard Network Protection
Query
DeviceEvents
| where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited')
| extend ResponseCategory = tostring(parse_json(AdditionalFields).ResponseCategory),
DisplayName = tostring(parse_json(AdditionalFields).DisplayName)
// If you do not want to see the blocked actions from the custom Network IOCs from defender uncomment the line below.
| where ResponseCategory != "CustomBlockList"
| project
Timestamp,
DeviceName,
InitiatingProcessAccountUpn,
ActionType,
RemoteUrl,
ResponseCategory,
DisplayNameAbout this query
Explanation
This query is designed to identify and report instances where Microsoft's network protection has been triggered on devices. It focuses on two specific actions: when network protection has blocked access to a site or when it has merely audited the access without blocking it. The query aims to highlight potential security risks by identifying attempts to access malicious websites.
Here's a simple breakdown of what the query does:
-
Data Source: It pulls data from
DeviceEvents, which logs various device-related activities. -
Filter Criteria:
- It looks for events where the action type is either
ExploitGuardNetworkProtectionBlocked(indicating a blocked attempt) orExploitGuardNetworkProtectionAudited(indicating an attempt that was logged but not blocked). - It excludes events categorized under "CustomBlockList" to avoid overwhelming results with custom indicators.
- It looks for events where the action type is either
-
Data Extraction:
- It extracts additional information from the
AdditionalFieldscolumn, specifically theResponseCategory(type of response) andDisplayName(name of the policy or rule).
- It extracts additional information from the
-
Output:
- The query outputs a list of events with details such as the timestamp, device name, user account, action type, URL attempted, response category, and display name.
-
Purpose:
- The purpose is to monitor and analyze attempts to access potentially harmful websites, helping security teams to assess and respond to threats effectively.
This query is useful for security analysts to track and manage network protection events, ensuring that devices are safeguarded against malicious activities.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators