Query Details
Device Find Users Who Clickedon Phishing
Query
//Find which users clicked on a phishing link after it was detected by Defender for Office 365
//Data connector required for this query - M365 Defender - Device* tables
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where ProviderName == "OATP"
| where AlertName in ("Email messages containing malicious URL removed after delivery","Email messages containing phish URLs removed after delivery")
| extend x = todynamic(Entities)
| mv-expand x
| parse-where x with * '"Url":"' MaliciousURL '"' *
| project PhishTime=TimeGenerated, MaliciousURL
| join kind=inner (
DeviceEvents
| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountName, RemoteUrl
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl startswith "http")
on $left.MaliciousURL == $right.RemoteUrl
| project-rename URLOpenTime=TimeGenerated
| extend TimeDelta = abs(URLOpenTime - PhishTime)
| project PhishTime, URLOpenTime, TimeDelta, ActionType, RemoteUrl, DeviceName, InitiatingProcessAccountNameExplanation
This query finds users who clicked on a phishing link after it was detected by Defender for Office 365. It uses data from the M365 Defender - Device* tables and the Security Alert table. It filters for alerts related to malicious or phishing URLs, expands the Entities column, and parses the URL. It then joins this information with DeviceEvents data to find the users who launched a browser to open the malicious URL. The query calculates the time difference between the phishing detection and the URL opening. The final result includes the phishing time, URL opening time, time difference, action type, remote URL, device name, and initiating process account name.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlertDeviceEvents
Keywords
Users,Phishing,Defender,Office365,Devices
Operators
whereinextendmv-expandparse-whereprojectjoinonproject-renameabs