Query Details

Exploit Guard Network Protection Triggered

Exploit Guard Network Protection

Query

DeviceEvents
| where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited')
| extend ResponseCategory = tostring(parse_json(AdditionalFields).ResponseCategory),
     DisplayName = tostring(parse_json(AdditionalFields).DisplayName)
// If you do not want to see the blocked actions from the custom Network IOCs from defender uncomment the line below.
| where ResponseCategory != "CustomBlockList"
| project
     Timestamp,
     DeviceName,
     InitiatingProcessAccountUpn,
     ActionType,
     RemoteUrl,
     ResponseCategory,
     DisplayName

About this query

Explanation

This query is designed to identify and report instances where Microsoft's network protection has been triggered on devices. It focuses on two specific actions: when network protection has blocked access to a site or when it has merely audited the access without blocking it. The query aims to highlight potential security risks by identifying attempts to access malicious websites.

Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from DeviceEvents, which logs various device-related activities.

  2. Filter Criteria:

    • It looks for events where the action type is either ExploitGuardNetworkProtectionBlocked (indicating a blocked attempt) or ExploitGuardNetworkProtectionAudited (indicating an attempt that was logged but not blocked).
    • It excludes events categorized under "CustomBlockList" to avoid overwhelming results with custom indicators.
  3. Data Extraction:

    • It extracts additional information from the AdditionalFields column, specifically the ResponseCategory (type of response) and DisplayName (name of the policy or rule).
  4. Output:

    • The query outputs a list of events with details such as the timestamp, device name, user account, action type, URL attempted, response category, and display name.
  5. Purpose:

    • The purpose is to monitor and analyze attempts to access potentially harmful websites, helping security teams to assess and respond to threats effectively.

This query is useful for security analysts to track and manage network protection events, ensuring that devices are safeguarded against malicious activities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceEvents

Keywords

DeviceEventsActionTypeResponseCategoryDisplayNameTimestampInitiatingProcessAccountUpnRemoteUrlTimeGenerated

Operators

in~extendtostring()parse_json()!=project

Actions

GitHub