Anomalous Amountof URL Click Events
Query
let startDate = ago(30d);
let endDate = now();
UrlClickEvents
| where ActionType != 'ClickAllowed'
| where TimeGenerated between (startDate .. endDate)
| make-series ClickCount=count() on TimeGenerated from startDate to endDate step 1d
| extend (anomalies, score, baseline) = series_decompose_anomalies(ClickCount)
| mv-expand TimeGenerated to typeof(datetime), ClickCount to typeof(long), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where score > 0.1
// Only If needed | where anomalies > 0
| project TimeGenerated, ClickCount, anomalies, score, baselineAbout this query
Explanation
This query is designed to detect unusual URL click activities that might indicate potential cybersecurity threats, such as phishing attacks, malware downloads, command and control traffic, data exfiltration, or suspicious redirects. It uses the UrlClickEvents table in Microsoft Sentinel to analyze URL click events over the past 30 days.
Here's a simplified breakdown of what the query does:
-
Time Frame: It examines URL click events from the past 30 days.
-
Filter Events: It filters out events where the action type is 'ClickAllowed', focusing only on potentially suspicious clicks.
-
Count Clicks: It counts the number of URL clicks per day within the specified time frame.
-
Anomaly Detection: It uses a function called
series_decompose_anomaliesto identify anomalies in the daily click counts. This function helps to detect unusual spikes or patterns that deviate from the norm. -
Score Filtering: It filters the results to show only those with a score greater than 0.1, indicating a significant anomaly.
-
Projection: Finally, it projects (or displays) the relevant information, including the timestamp, click count, anomaly score, and baseline for each detected anomaly.
The goal of this query is to help security analysts identify and investigate unusual URL click activities that could be indicative of malicious behavior, allowing them to take proactive measures to mitigate potential threats.
