Web Content Filtering Events

Hunt Hypothesis

Adversaries may use web content filtering events to exfiltrate data or establish command and control channels by bypassing network security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or C2 activity that may evade traditional detection methods.

KQL Query

DeviceEvents
| where ActionType in ("ExploitGuardNetworkProtectionAudited", "ExploitGuardNetworkProtectionBlocked") or ActionType startswith_cs "SmartScreenUrl"
| extend AdditionalFields = todynamic(AdditionalFields)
| where AdditionalFields.Experience == 'CustomPolicy' or AdditionalFields.ResponseCategory == 'CustomBlockList'
| project-reorder Timestamp, DeviceName, RemoteUrl

Analytic Rule Definition

id: 7f7a796d-1511-4930-b9da-5971db4352ec
name: Web Content Filtering Events
description: |
  This query identifies web content filtering events in Advanced Hunting.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
  tactics: 
  - Initial Access
  - Exfiltration
query: |
  DeviceEvents
  | where ActionType in ("ExploitGuardNetworkProtectionAudited", "ExploitGuardNetworkProtectionBlocked") or ActionType startswith_cs "SmartScreenUrl"
  | extend AdditionalFields = todynamic(AdditionalFields)
  | where AdditionalFields.Experience == 'CustomPolicy' or AdditionalFields.ResponseCategory == 'CustomBlockList'
  | project-reorder Timestamp, DeviceName, RemoteUrl

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/General queries/Web Content Filtering Events.yml)

False Positive Guidance

Scenario: Legitimate System Maintenance Task
Description: A system administrator is performing a scheduled maintenance task that involves accessing a known content filtering URL (e.g., https://content-filtering.example.com/maintenance).
Filter/Exclusion: Exclude events where the URL contains maintenance or sysadmin in the request path, or filter by user admin or sysadmin.
Scenario: Scheduled Job for Compliance Reporting
Description: A compliance reporting job runs daily and accesses a content filtering service to generate reports (e.g., https://compliance-reporting.example.com/generate).
Filter/Exclusion: Exclude events where the URL contains compliance or reporting, or filter by job name compliance-reporting-job.
Scenario: User Accessing Safe Search Filters
Description: A user is accessing safe search filters provided by an enterprise search tool (e.g., Microsoft Search, Google Workspace) to filter inappropriate content.
Filter/Exclusion: Exclude events where the URL contains safe-search, filter, or search and the user is part of the search-admin group.
Scenario: Content Filtering Service for Email Scanning
Description: The organization’s email gateway (e.g., Microsoft Exchange Online, Google Workspace) is using a content filtering service to scan emails for malicious content.
Filter/Exclusion: Exclude events where the URL contains email-scanning, smtp, or mail, and the source IP is from the internal email gateway.
Scenario: Internal Content Filtering for Web Portal Access
Description: Employees access an internal web portal that uses content filtering to restrict access to certain resources (e.g., https://internal-portal.example.com/filter).
Filter/Exclusion: Exclude events where the URL contains internal-portal or `