KQL Search

Query Details

HomeAI ToolsDevice Query

Exploit Guard Network Protection

Query

# Exploit Guard Network Protection Triggered

## Query Information

#### Description
Microsoft offers network protection for devices, this can be done based on custom indicators that have been uploaded to the portal or based on a websites reputation. Depening on the reputation of a website a alert may be generated. The most common Response Categories are: CustomPolicy, CustomBlockList, CasbPolicy (Defender For Cloud Apps), Malicious and Phishing. The query contains a filter to exclude all custom indicators from the query results, which may overwhelm the results.  

#### Risk
A user has accessed (or tried to access) a malicious website. If the Exploit Guard Policy is on audit mode, then the user can still be at risk, because the network connection was not blocked. 

#### References
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide#advanced-hunting
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators?view=o365-worldwide

## Defender For Endpoint
```
DeviceEvents
| where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited')
| extend ResponseCategory = tostring(parse_json(AdditionalFields).ResponseCategory),
     DisplayName = tostring(parse_json(AdditionalFields).DisplayName)
// If you do not want to see the blocked actions from the custom Network IOCs from defender uncomment the line below.
| where ResponseCategory != "CustomBlockList"
| project
     Timestamp,
     DeviceName,
     InitiatingProcessAccountUpn,
     ActionType,
     RemoteUrl,
     ResponseCategory,
     DisplayName
```
## Sentinel
```
DeviceEvents
| where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited')
| extend ResponseCategory = tostring(parse_json(AdditionalFields).ResponseCategory),
     DisplayName = tostring(parse_json(AdditionalFields).DisplayName)
// If you do not want to see the blocked actions from the custom Network IOCs from defender uncomment the line below.
| where ResponseCategory != "CustomBlockList"
| project
     TimeGenerated,
     DeviceName,
     InitiatingProcessAccountUpn,
     ActionType,
     RemoteUrl,
     ResponseCategory,
     DisplayName
```

Explanation

This query retrieves information about Exploit Guard Network Protection events from Microsoft Defender for Endpoint or Azure Sentinel. It filters out custom indicators and includes details such as timestamp, device name, user account, action type, remote URL, response category, and display name. The query helps identify instances where a user has accessed or attempted to access a malicious website, even if the network connection was not blocked.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceEvents

Keywords

ExploitGuard,NetworkProtection,Triggered,Query,Devices,Intune,User

Operators

wherein~extendtostringparse_json!=project

Actions