Network Protection
MDE Defender Network Protection Events
Query
DeviceEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')About this query
Explanation
The query retrieves network protection events from Microsoft 365 Defender. It filters the events based on the ActionType, and in some cases, the InitiatingProcessAccountName. The query also includes parsing and projecting specific fields from the AdditionalFields column. There are separate queries for Defender Network Protection, Defender SmartScreen, and a combination of both. Additionally, there is a query that joins AlertInfo and AlertEvidence tables to retrieve suspicious connection alerts blocked by network protection.
Details

Alex Verboon
Released: June 4, 2023
Tables
DeviceEvents
Keywords
DevicesIntuneUserNetwork ProtectionExploitGuardNetworkProtectionAuditedExploitGuardNetworkProtectionBlockedsystemResponseCategoryDisplayNameIsAuditUriInitiatingProcessFileNameSmartScreenUrlWarningSmartScreenUserOverrideAdditionalFieldsExperienceApplicationNameAllowUserSidAlertInfoAlertEvidenceSuspicious connection blocked by network protectionUrlTimestampRemoteIPAlertId
Operators
|wherein==extendparse_jsonsort byprojectreplacetostringsplitdistinctiffjoinon