Custom IOC Block Events
Query
//This query monitors for custom blocks from MDE Indicators (Hash, Certificate, URL)
DeviceEvents
| where (ActionType == "SmartScreenUrlWarning" and AdditionalFields.Experience == "CustomBlockList") or (AdditionalFields.ThreatName contains "EUS:Win32/Custom" and ActionType == "AntivirusDetection") or (AdditionalFields.ResponseCategory == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| summarize by FileName, RemoteUrl,DeviceName, Signer, InitiatingProcessAccountName, InitiatingProcessFileName, SHA1Explanation
This query is designed to monitor and identify custom blocks from Microsoft Defender for Endpoint (MDE) indicators, specifically focusing on hashes, certificates, and URLs. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by examining the
DeviceEventstable, which contains various security-related events from devices. -
Filter Conditions: The query looks for specific types of events:
- Events where the
ActionTypeis "SmartScreenUrlWarning" and the experience is categorized as "CustomBlockList". - Events where the
ActionTypeis "AntivirusDetection" and the threat name includes "EUS:Win32/Custom". - Events where the
ActionTypeis "ExploitGuardNetworkProtectionBlocked" and the response category is "CustomBlockList".
- Events where the
-
Join Operation: It performs a left outer join with the
DeviceFileCertificateInfotable using the SHA1 hash. This means it attempts to match each event with corresponding certificate information, if available. -
Summarization: Finally, it summarizes the results by grouping them based on several fields:
FileName,RemoteUrl,DeviceName,Signer,InitiatingProcessAccountName,InitiatingProcessFileName, andSHA1. This helps in identifying unique instances of custom blocks along with relevant details like the file name, URL, device name, signer, and initiating process information.
In essence, the query is used to track and report on custom security blocks related to files, URLs, and certificates, providing a consolidated view of such events across devices.
Details

Jay Kerai
Released: November 10, 2024
Tables
Keywords
Operators