Query Details
Blocked UR Ls
Query
# Blocked URLs
## Query Information
### Description
Use the below querys to find the domains of URLs that were blocked
### Defender for Endpoint / Sentinel
```kql
UrlClickEvents
| where TimeGenerated > ago(90d)
| where ActionType == "ClickBlocked"
| where DetectionMethods has_any ("URL")
| extend Domain = extract(@"[^.]+\.[^.]+$",0, extract(@"^(?:https?://)?([^/]+)",1,Url))
| extend TLD = tostring(split(extract(@"\.([a-zA-Z]{2,}|[a-zA-Z]{2}\.[a-zA-Z]{2})$",0,Domain,typeof(string)),".")[1])
| project TimeGenerated, TLD, Domain,IPAddress, ThreatTypes,DetectionMethods, IsClickedThrough,Url
```
```kql
EmailEvents
| where DeliveryAction == "Blocked"
| where DetectionMethods has_any ("URL","domain")
| join EmailUrlInfo
on $left.NetworkMessageId == $right.NetworkMessageId
| extend Domain = extract(@"[^.]+\.[^.]+$",0, extract(@"^(?:https?://)?([^/]+)",1,Url))
| extend TLD = tostring(split(extract(@"\.([a-zA-Z]{2,}|[a-zA-Z]{2}\.[a-zA-Z]{2})$",0,Domain,typeof(string)),".")[1])
| project TimeGenerated,TLD, Domain, ThreatTypes, ThreatNames, DetectionMethods, SenderFromDomain, Url
```
Explanation
The query is used to find the domains of URLs that were blocked. It includes two parts: one for Defender for Endpoint/Sentinel and another for EmailEvents. The first part filters UrlClickEvents data to find URLs that were blocked, extracts the domain and top-level domain (TLD) from the URL, and projects relevant fields. The second part filters EmailEvents data to find blocked emails with URLs or domains, joins with EmailUrlInfo data, extracts the domain and TLD from the URL, and projects relevant fields.
Details
Alex Verboon
Released: June 4, 2023
Tables
UrlClickEventsEmailEventsEmailUrlInfo
Keywords
BlockedURLs,UrlClickEvents,TimeGenerated,ActionType,DetectionMethods,Domain,TLD,IPAddress,ThreatTypes,IsClickedThrough,Url,EmailEvents,DeliveryAction,EmailUrlInfo,NetworkMessageId,SenderFromDomain,ThreatNames
Operators
whereago==has_anyextendextractsplitproject|joinon$left.$right.