-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathNetwork_Protection_Exploit_Guard.sql
More file actions
42 lines (41 loc) · 2.33 KB
/
Network_Protection_Exploit_Guard.sql
File metadata and controls
42 lines (41 loc) · 2.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
-- Converted from KQL to MySQL (heuristic conversion)
-- Date: 2025-09-13 00:40:46 UTC
-- Source file: KQL-main/ExploitGuard-NetworkProtection/Network_Protection_Exploit_Guard.kql
--
-- Original KQL (for reference):
-- -- // -----------------------------------------------------------------------------
-- // Query Name: NetworkProtection_Events_Detail
-- // Description:
-- // Retrieves Microsoft Defender Exploit Guard Network Protection events
-- // from the DeviceEvents table. These events show when outbound connections
-- // to potentially malicious or non-compliant domains were blocked or audited.
-- //
-- // The query parses the AdditionalFields JSON to expose extra details such as:
-- // - IsAudit: whether the event was only audited (logged) or blocked
-- // - ResponseCategory: action category (e.g., Block, Warn, Audit)
-- // - DisplayName: user-friendly rule/category name
-- //
-- // Use cases:
-- // - Identify devices and processes attempting to connect to risky URLs
-- // - Differentiate between audited vs. enforced Network Protection events
-- // - Investigate which applications are repeatedly triggering detections
-- //
-- // Output fields:
-- // DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName,
-- // IsAudit, ResponseCategory, DisplayName
-- //
-- // Results are sorted by most recent events first.
-- // -----------------------------------------------------------------------------
-- DeviceEvents
-- |where ActionType contains "ExploitGuardNetworkProtection"
-- |extend ParsedFields=parse_json(AdditionalFields)
-- |project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, IsAudit=tostring(ParsedFields.IsAudit), ResponseCategory=tostring(ParsedFields.ResponseCategory), DisplayName=tostring(ParsedFields.DisplayName)
-- |sort by Timestamp desc
--
-- Notes:
-- - Review the FROM table names and JSON field access (use JSON_EXTRACT for JSON columns).
-- - Replace /* <TABLE_OR_SUBQUERY> */ with the correct table or subquery if needed.
-- - Regex/contains translations use LIKE/REGEXP; adjust for performance as needed.
-- - Time windows: ago(7d) -> NOW() - INTERVAL 7 DAY, etc.
--
SELECT * FROM DeviceEvents WHERE ActionType LIKE '%ExploitGuardNetworkProtection%';