Query Details
Blob UR Is Creation Trend Analysis
Query
// https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/ // Switch to Chart Mode to visualize DeviceFileEvents | where TimeGenerated > ago(90d) | where FileOriginUrl startswith "blob:https://" | summarize Count=count() by bin(TimeGenerated,1d)
Explanation
This query is designed to analyze file events on devices over the past 90 days, specifically looking for files that originate from URLs starting with "blob:https://". These URLs are often associated with certain types of web-based content, including potentially malicious activities like phishing attacks.
Here's a simple breakdown of what the query does:
-
Data Source: It uses the
DeviceFileEventstable, which contains records of file-related activities on devices. -
Time Filter: It filters the data to include only events that occurred in the last 90 days.
-
URL Filter: It further narrows down the events to those where the file's origin URL begins with "blob:https://". This is relevant because such URLs can be used to host fake login pages or other malicious content.
-
Aggregation: It counts the number of these events for each day, grouping them into daily bins.
-
Output: The result is a daily count of file events with the specified URL pattern, which can be visualized in a chart to identify trends or spikes in activity over time.
The comment suggests switching to Chart Mode to better visualize the data, which can help in identifying patterns or anomalies that might indicate phishing attacks or other security threats.
Details
Steven Lim
Released: May 11, 2025
Tables
Keywords
Operators