Respond to web threats
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Web protection in Microsoft Defender for Endpoint lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list.
View web threat alerts
Microsoft Defender for Endpoint generates the following alerts for malicious or suspicious web activity:
- Suspicious connection blocked by network protection: This alert is generated when network protection (in block mode) stops an attempt to access a malicious website or a website in your custom indicator list.
- Suspicious connection detected by network protection: This alert is generated when network protection (in audit mode) detects an attempt to access a malicious website or a website in your custom indicator list.
Each alert provides the following information:
- Device that attempted to access the blocked website
- Application or program used to send the web request
- Malicious URL or URL in the custom indicator list
- Recommended actions for responders
Note
To reduce the volume of alerts, Microsoft Defender for Endpoint consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the web protection report.
Inspect website details
You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that particular URL or domain with various information, including:
Devices that attempted to access website
Incidents and alerts related to the website
How frequent the website was seen in events in your organization
For more information, see About URL or domain entity pages.
Inspect the device
You can also check the device that attempted to access a blocked URL. Selecting the name of the device on the alert page opens a page with comprehensive information about the device.
For more information, see About device entity pages.
Web browser and Windows notifications for end users
With web protection in Defender for Endpoint, your end users are prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is done by network protection and not their web browser, users see a generic error from the web browser. They also see a notification from Windows.
Web threat blocked on Microsoft Edge
Web threat blocked on Chrome
Related articles
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for