← Back to Explore
kqlHunting
MDA Blocks by Application and URL
Detection Query
DeviceEvents
| where TimeGenerated > ago(90d)
| where (ActionType == "SmartScreenUrlWarning" and AdditionalFields.Experience == "CustomBlockList") or (AdditionalFields.ResponseCategory == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
| where tostring(AdditionalFields.DisplayName) has "appName" or isnotempty(tostring(AdditionalFields.ApplicationName))
| extend Application = iff(tostring(AdditionalFields.DisplayName) has "appName",replace_string((tostring(AdditionalFields.DisplayName)),@"appName=",""), (AdditionalFields.ApplicationName))
| extend Application= replace('"', '', Application)
| summarize BlockedURls = make_list(RemoteUrl) by ApplicationData Sources
DeviceEvents
Platforms
windows
Tags
defender
Raw Content
DeviceEvents
| where TimeGenerated > ago(90d)
| where (ActionType == "SmartScreenUrlWarning" and AdditionalFields.Experience == "CustomBlockList") or (AdditionalFields.ResponseCategory == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
| where tostring(AdditionalFields.DisplayName) has "appName" or isnotempty(tostring(AdditionalFields.ApplicationName))
| extend Application = iff(tostring(AdditionalFields.DisplayName) has "appName",replace_string((tostring(AdditionalFields.DisplayName)),@"appName=",""), (AdditionalFields.ApplicationName))
| extend Application= replace('"', '', Application)
| summarize BlockedURls = make_list(RemoteUrl) by Application