MDE Web Protection

name : MDE Web Protection source : https://github.com/LearningKijo/KQL/blob/main/KQL-Effective-Use/03-kql-MDE-WebProtection.md description : the KQL hunting queries will include the following products - Microsoft Defender for Endpoint - Url Indicators - Microsoft Defender for Endpoint - Web Content Filtering - Microsoft Defender for Cloud Apps - Unsanctioned app - Microsoft Defender SmartScreen query: | //Edge browser - Microsoft SmartScreen DeviceEvents | where Timestamp > ago(7d) | where ActionType == "SmartScreenUrlWarning" | extend ParsedFields=parse_json(AdditionalFields) | summarize MDE_IoC = countif(Experience=tostring(ParsedFields.Experience) == "CustomBlockList"), MDE_WCF = countif(Experience=tostring(ParsedFields.Experience) == "CustomPolicy"), MDA_CASB = countif(Experience=tostring(ParsedFields.Experience) == "CasbPolicy"), Edge_SS = countif(Experience=tostring(ParsedFields.Experience) in ("Malicious", "Phishing")) by DeviceId, DeviceName //Edge browser - Microsoft SmartScreen DeviceEvents | where Timestamp > ago(7d) | where ActionType == "SmartScreenUrlWarning" | extend ParsedFields=parse_json(AdditionalFields) | summarize MDE_IoC = make_list_if(RemoteUrl, Experience=tostring(ParsedFields.Experience) == "CustomBlockList"), MDE_WCF = make_list_if(RemoteUrl, Experience=tostring(ParsedFields.Experience) == "CustomPolicy"), MDA_CASB = make_list_if(RemoteUrl, Experience=tostring(ParsedFields.Experience) == "CasbPolicy"), Edge_SS = make_list_if(RemoteUrl, Experience=tostring(ParsedFields.Experience) in ("Malicious", "Phishing")) by DeviceId, DeviceName //3rd party browser - Windows Defender Exploit Guard, Netwrk Protection DeviceEvents | where Timestamp > ago(7d) | where ActionType == "ExploitGuardNetworkProtectionBlocked" | extend ParsedFields=parse_json(AdditionalFields) | summarize MDE_IoC = countif(ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CustomBlockList"), MDE_WCF = countif(ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CustomPolicy"), MDA_CASB = countif(ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CasbPolicy") by DeviceId, DeviceName //3rd party browser - Windows Defender Exploit Guard, Netwrk Protection DeviceEvents | where Timestamp > ago(7d) | where ActionType == "ExploitGuardNetworkProtectionBlocked" | extend ParsedFields=parse_json(AdditionalFields) | summarize MDE_IoC = make_list_if(RemoteUrl, ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CustomBlockList"), MDE_WCF = make_list_if(RemoteUrl, ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CustomPolicy"), MDA_CASB = make_list_if(RemoteUrl, ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CasbPolicy") by DeviceId, DeviceName //Bypass - MDE Indicators Warn DeviceEvents | where Timestamp > ago(7d) | where ActionType in ("SmartScreenUserOverride", "NetworkProtectionUserBypassEvent") | extend Browser = case( InitiatingProcessFileName has "msedge", "Edge", InitiatingProcessFileName has "chrome", "Chrome", InitiatingProcessFileName has "firefox", "Firefox", InitiatingProcessFileName has "opera", "Opera", "3rd party browser") | project Timestamp, DeviceId, DeviceName, ActionType, Browser, RemoteUrl

Explanation

The query is designed to gather information about web protection events from different products, including Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, and Microsoft Defender SmartScreen.

The query includes several sections that focus on different scenarios and browsers. It retrieves events related to Microsoft SmartScreen warnings in the Edge browser, as well as events related to Windows Defender Exploit Guard and Network Protection in third-party browsers.

The query also captures events where users bypassed Microsoft Defender for Endpoint indicators. The results include information such as the timestamp, device ID, device name, action type, browser, and remote URL.

Overall, the query helps to monitor and analyze web protection events across different products and browsers.

KQL Search

Query

Explanation

Details

Actions