NetworkSignatureInspected

That’s a really good and subtle observation, and what you’re seeing is actually expected behavior rather than evidence of an active compromise. As of December 2025, entries in DeviceTimeline (or Advanced Hunting) with ActionType = NetworkSignatureInspected are generated by the network inspection engine in Microsoft Defender for Endpoint (MDE). This engine integrates lightweight Zeek-based inspection telemetry into the endpoint sensor. These records represent passive detections of network-layer patterns that Defender recognized and analyzed, not necessarily blocked or executed payloads.

The AdditionalFields content you’re seeing is a raw snippet of payload data that matched a known network signature .. in your case, one related to CVE-2021-44228 (Log4Shell) and some strings commonly used by Qakbot or phishing scripts. Defender is flagging that pattern because its sensor saw traffic that resembled an exploit attempt, perhaps a malformed HTTP request or an external scan. It doesn’t mean the device executed malicious code or contacted those domains. The sensor simply captured the payload signature while inspecting inbound or outbound packets. The same pattern appearing across multiple devices confirms that it was a signature match from a scan or external probe, not a localized infection.

Because these network inspection events don’t always map to full detections, they don’t raise an alert or show up in Defender’s threat summary. They are primarily included to enrich hunting data and give you network visibility at the packet level. If you check the related device’s DeviceNetworkEvents, you likely won’t see any confirmed connections to those URLs because the request never completed or was intercepted at the inspection layer. The absence of alerts or follow-up activity means Defender treated it as benign background noise or blocked the traffic before any payload was delivered.

Basically NetworkSignatureInspected entries indicate that Defender’s network protection module analyzed traffic matching a known signature but didn’t find evidence of compromise. The payloads in the AdditionalFields are fragments of suspicious data observed on the wire, not code that executed on the device. They are useful for correlation and threat hunting but don’t require remediation unless accompanied by alerts or process execution events. Please hit like if you like the solution.