alexverboon/defender_networkprotection_systemaccount.kusto

## defender_networkprotection_systemaccount.kusto
// Defender Network Protection - blocked - activity with system account
DeviceEvents
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| where InitiatingProcessAccountName == "system"
| extend ResponseCat = parse_json(AdditionalFields).ResponseCategory
| extend Uri = parse_json(AdditionalFields).DisplayName
| project Timestamp, DeviceName,DeviceId, RemoteUrl, ResponseCat, InitiatingProcessFileName, InitiatingProcessCommandLine
	// Defender Network Protection - blocked - activity with system account
	DeviceEvents
	\| where ActionType == "ExploitGuardNetworkProtectionBlocked"
	\| where InitiatingProcessAccountName == "system"
	\| extend ResponseCat = parse_json(AdditionalFields).ResponseCategory
	\| extend Uri = parse_json(AdditionalFields).DisplayName
	\| project Timestamp, DeviceName,DeviceId, RemoteUrl, ResponseCat, InitiatingProcessFileName, InitiatingProcessCommandLine