EXPLORE
Sign In
← Back to Explore
kqlHunting

Exploit Guard Network Protection Triggered

Microsoft offers network protection for devices, this can be done based on custom indicators that have been uploaded to the portal or based on a websites reputation. Depening on the reputation of a website a alert may be generated. The most common Response Categories are: CustomPolicy, CustomBlockList, CasbPolicy (Defender For Cloud Apps), Malicious and Phishing. The query contains a filter to exclude all custom indicators from the query results, which may overwhelm the results.

Detection Query

DeviceEvents
| where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited')
| extend ResponseCategory = tostring(parse_json(AdditionalFields).ResponseCategory),
     DisplayName = tostring(parse_json(AdditionalFields).DisplayName)
// If you do not want to see the blocked actions from the custom Network IOCs from defender uncomment the line below.
| where ResponseCategory != "CustomBlockList"
| project
     Timestamp,
     DeviceName,
     InitiatingProcessAccountUpn,
     ActionType,
     RemoteUrl,
     ResponseCategory,
     DisplayName

Data Sources

DeviceEvents

Platforms

windowsazure-sentinelmicrosoft-defender

References

Tags

defender-for-endpointhuntingioc
Raw Content
# Exploit Guard Network Protection Triggered

## Query Information

#### Description
Microsoft offers network protection for devices, this can be done based on custom indicators that have been uploaded to the portal or based on a websites reputation. Depening on the reputation of a website a alert may be generated. The most common Response Categories are: CustomPolicy, CustomBlockList, CasbPolicy (Defender For Cloud Apps), Malicious and Phishing. The query contains a filter to exclude all custom indicators from the query results, which may overwhelm the results.  

#### Risk
A user has accessed (or tried to access) a malicious website. If the Exploit Guard Policy is on audit mode, then the user can still be at risk, because the network connection was not blocked. 

#### References
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide#advanced-hunting
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators?view=o365-worldwide

## Defender XDR
```KQL
DeviceEvents
| where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited')
| extend ResponseCategory = tostring(parse_json(AdditionalFields).ResponseCategory),
     DisplayName = tostring(parse_json(AdditionalFields).DisplayName)
// If you do not want to see the blocked actions from the custom Network IOCs from defender uncomment the line below.
| where ResponseCategory != "CustomBlockList"
| project
     Timestamp,
     DeviceName,
     InitiatingProcessAccountUpn,
     ActionType,
     RemoteUrl,
     ResponseCategory,
     DisplayName
```

## Sentinel
```KQL
DeviceEvents
| where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited')
| extend ResponseCategory = tostring(parse_json(AdditionalFields).ResponseCategory),
     DisplayName = tostring(parse_json(AdditionalFields).DisplayName)
// If you do not want to see the blocked actions from the custom Network IOCs from defender uncomment the line below.
| where ResponseCategory != "CustomBlockList"
| project
     TimeGenerated,
     DeviceName,
     InitiatingProcessAccountUpn,
     ActionType,
     RemoteUrl,
     ResponseCategory,
     DisplayName
```