Query Details

Network Protection

MDE Defender Network Protection Events

Query

DeviceEvents 
| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')

About this query

Explanation

The query retrieves network protection events from Microsoft 365 Defender. It filters the events based on the ActionType, and in some cases, the InitiatingProcessAccountName. The query also includes parsing and projecting specific fields from the AdditionalFields column. There are separate queries for Defender Network Protection, Defender SmartScreen, and a combination of both. Additionally, there is a query that joins AlertInfo and AlertEvidence tables to retrieve suspicious connection alerts blocked by network protection.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceEvents

Keywords

DevicesIntuneUserNetwork ProtectionExploitGuardNetworkProtectionAuditedExploitGuardNetworkProtectionBlockedsystemResponseCategoryDisplayNameIsAuditUriInitiatingProcessFileNameSmartScreenUrlWarningSmartScreenUserOverrideAdditionalFieldsExperienceApplicationNameAllowUserSidAlertInfoAlertEvidenceSuspicious connection blocked by network protectionUrlTimestampRemoteIPAlertId

Operators

|wherein==extendparse_jsonsort byprojectreplacetostringsplitdistinctiffjoinon

Actions

GitHub