Microsoft offers network protection for devices, this can be done based on custom indicators that have been uploaded to the portal or based on a websites reputation. Depening on the reputation of a website a alert may be generated. The most common Response Categories are: CustomPolicy, CustomBlockList, CasbPolicy (Defender For Cloud Apps), Malicious and Phishing. The query contains a filter to exclude all custom indicators from the query results, which may overwhelm the results.
A user has accessed (or tried to access) a malicious website. If the Exploit Guard Policy is on audit mode, then the user can still be at risk, because the network connection was not blocked.
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide#advanced-hunting
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators?view=o365-worldwide
DeviceEvents
| where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited')
| extend ResponseCategory = tostring(parse_json(AdditionalFields).ResponseCategory),
DisplayName = tostring(parse_json(AdditionalFields).DisplayName)
// If you do not want to see the blocked actions from the custom Network IOCs from defender uncomment the line below.
| where ResponseCategory != "CustomBlockList"
| project
Timestamp,
DeviceName,
InitiatingProcessAccountUpn,
ActionType,
RemoteUrl,
ResponseCategory,
DisplayName
DeviceEvents
| where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited')
| extend ResponseCategory = tostring(parse_json(AdditionalFields).ResponseCategory),
DisplayName = tostring(parse_json(AdditionalFields).DisplayName)
// If you do not want to see the blocked actions from the custom Network IOCs from defender uncomment the line below.
| where ResponseCategory != "CustomBlockList"
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountUpn,
ActionType,
RemoteUrl,
ResponseCategory,
DisplayName