Query Details
Device Parse URL
Query
//Use the inbuilt KQL parse_url function to return the various components of a URL
//Data connector required for this query - M365 Defender - Device* tables
DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl"
| extend Url = parse_url(RemoteUrl)
| extend Hostname = tostring(Url.Host)
| extend Fragment = tostring(Url.Fragment)
| extend Password = tostring(Url.Password)
| extend Path = tostring(Url.Path)
| extend Port = tostring(Url.Port)
| extend Query = tostring(Url.Query)
| extend Schema = tostring(Url.Scheme)
| extend Username = tostring(Url.Username)
| where isnotempty(Hostname)
| project
TimeGenerated,
DeviceName,
RemoteUrl,
Schema,
Port,
Hostname,
Path,
Query,
Username,
Password,
FragmentExplanation
This query uses the KQL parse_url function to extract different components of a URL from the DeviceEvents table in the M365 Defender data connector. It filters for events where the ActionType is "BrowserLaunchedToOpenUrl" and then extracts the Hostname, Fragment, Password, Path, Port, Query, Schema, and Username from the RemoteUrl using the parse_url function. It also filters out events where the Hostname is empty and projects the TimeGenerated, DeviceName, RemoteUrl, Schema, Port, Hostname, Path, Query, Username, Password, and Fragment columns.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,BrowserLaunchedToOpenUrl,RemoteUrl,parse_url,Url,Hostname,Fragment,Password,Path,Port,Query,Schema,Username,isnotempty,TimeGenerated,DeviceName
Operators
parse_urlextendtostringwhereisnotemptyproject