Jul 29 2020 09:57 AM
Recently I've been working on some Advanced Hunting queries for Web Content Filtering. This data is easy to find for third party browsers such as Chrome or Firefox assuming Network Protection is turned on. Simply query DeviceEvents | Where ActionType == 'ExploitGuardNetworkProtectionBlocked'. However, Edge does not use Network Protection to block sites based on Web Content Filtering. It utilizes SmartScreen. As such I would expect that these events would be under the 'SmartScreenUrlWarning' ActionType. However, this doesn't return any data. In fact, I've found that none of the SmartScreen related ActionTypes return any data. I've confirmed that SmartScreen is enabled and functional with the tools on demo.wd.com. Has anyone been able to successfully query SmartScreen data through Advanced Hunting?
Feb 22 2021 05:14 PM
I found it difficult to investigate Web Content Filtering as well.
Besides it is impossible to the category of Web Filtering blocked URL.
There is https://incompass.netstar-inc.com/urlsearch but it s unclear how this is correlates to Microsoft MDATP Network Protraction Web Filtering decisions.
Feb 25 2021 11:12 PM - edited Feb 25 2021 11:18 PM
I'm not sure if I can help but this doesn't work for you
https://security.microsoft.com/webcontentfilteringcategoriesdetailspage?viewid=webCategories
Obviously the data has come from somewhere. You obviously have to turn it on in MSDE
Tenant has MSDE and MSCAS enabled
Mar 02 2021 07:43 AM