Network Threat Protection Essentials

Network Threat Protection Essentials Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.1
Author	Microsoft - support@microsoft.com
First Published	2022-11-16
Last Updated	2026-01-30
Solution Folder	Network Threat Protection Essentials
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (61%)
Pre-requisites	Microsoft 365, Amazon Web Services, Windows Server DNS, Azure Firewall, Windows Forwarded Events, zscaler1579058425289.zscaler_internet_access_mss, PaloAlto-PAN-OS, Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel, Check Point

The Network Threat Protection Essentials solution contain queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.

For details on the required solutions, see the Pre-requisites section below.

Keywords: Malicious IP/User agent, DNS, TOR, mining

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 8 other solution(s):

Solution
Amazon Web Services
Azure Firewall
Check Point
Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel
Microsoft 365
PaloAlto-PAN-OS
Windows Forwarded Events
Windows Server DNS

Data Connectors

This solution does not include its own data connectors but uses connectors from dependency solutions:

Windows DNS Events via AMA (dependency on Windows Server DNS)
Amazon Web Services (dependency on Amazon Web Services)
Amazon Web Services S3 (dependency on Amazon Web Services)
Amazon Web Services S3 WAF (dependency on Amazon Web Services)
Azure Firewall (dependency on Azure Firewall)
DNS (dependency on Windows Server DNS)
[Deprecated] Fortinet via Legacy Agent (dependency on Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel)
[Deprecated] Fortinet via AMA (dependency on Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel)
Microsoft 365 (formerly, Office 365) (dependency on Microsoft 365)
[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent (dependency on PaloAlto-PAN-OS)
[Deprecated] Palo Alto Networks (Firewall) via AMA (dependency on PaloAlto-PAN-OS)
Windows Forwarded Events (dependency on Windows Forwarded Events)

Tables Used

This solution queries 6 table(s) from its content items:

Table	Used By Content
`AWSCloudTrail`	Analytics, Hunting
`CommonSecurityLog`	Analytics, Hunting
`OfficeActivity`	Analytics, Hunting
`SecurityEvent`	Analytics
`W3CIISLog`	Analytics, Hunting
`WindowsEvent`	Analytics

Content Items

This solution includes 5 content item(s):

Content Type	Count
Hunting Queries	3
Analytic Rules	2

Analytic Rules

Name	Severity	Tactics	Tables Used
Network endpoint to host executable correlation	Medium	Execution	`CommonSecurityLog` `SecurityEvent` `WindowsEvent`
New UserAgent observed in last 24 hours	Low	InitialAccess, CommandAndControl, Execution	`AWSCloudTrail` `OfficeActivity` `W3CIISLog`

Hunting Queries

Name	Tactics	Tables Used
Base64 encoded IPv4 address in request url	CommandAndControl	`CommonSecurityLog`
Exploit and Pentest Framework User Agent	InitialAccess, CommandAndControl, Execution	`AWSCloudTrail` `OfficeActivity` `W3CIISLog`
Risky base64 encoded command in URL	CommandAndControl	`CommonSecurityLog`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.2	13-01-2026	Updated non-functional links from Exploit and Pentest Framework User Agent Hunting query
3.0.1	23-02-2024	Tagged for dependent solutions for deployment
3.0.0	19-12-2023	Corrected typo mistake Microsoft Windows DNS to Windows Server DNS