Query Details

KQL URL Protection Report

Query

// KQL URL Protection Report
// https://www.linkedin.com/posts/activity-7190735644749426691-SQlH/

// For organization subscribed to Defender for Office 365, M365 or security admin would most of time go to DefenderXDR portal "Reports" > "Email & Collaboration" > "URL protection report" to check if a particular user has click on a malicious link and if it was blocked by Office 365 ATP.

// Do you know you can access all these Threat Intelligence URL Click Data in CloudAppEvents table? 😎

// Using DefenderXDR Advanced Hunting and the below KQL will provide information similar to the "URL Protection Report", you can further summarize these set of data to allow you to better understand the threats currently faced by your suite of Office 365 applications that support SafeLinks and possibly tweak your SafeLinks configuration to improve your organization Office 365 application protection.🛡️

CloudAppEvents
| where ActionType == "TIUrlClickData"
| where RawEventData.Workload=="ThreatIntelligence"
| extend AppName = RawEventData.AppName
| extend AccountUpn = RawEventData.UserId
| extend UserIP = RawEventData.UserIp
| extend ClickURL = RawEventData.Url
| extend UrlClickAction = RawEventData.UrlClickAction
| extend TimeOfClick = RawEventData.TimeOfClick
| where ActivityType=="Basic"
| project AppName, AccountUpn, UserIP, ClickURL, UrlClickAction, TimeOfClick
| where UrlClickAction == 2 //User blocked from navigating to the URL

// MITRE ATT&CK Mapping

// Based on the analysis, the query is primarily focused on detecting events where users interact with potentially malicious URLs and are blocked from accessing them. This can be mapped to the following MITRE ATT&CK techniques:

// T1071.001 - Application Layer Protocol: Web Protocols:
// The query monitors URL clicks, which involves web protocols.
// T1204.001 - User Execution: Malicious Link:
// The detection of URL clicks and blocking access to malicious URLs aligns with detecting user execution of malicious links.
// T1566.002 - Phishing: Spearphishing Link:
// The query can help identify spearphishing attempts where users click on malicious links.

Explanation

This KQL query is designed to help organizations using Defender for Office 365 monitor and analyze potentially malicious URL clicks by users. It retrieves data from the CloudAppEvents table, focusing on events where users attempted to click on URLs flagged by threat intelligence as malicious, and were subsequently blocked from accessing them.

Here's a simplified breakdown of what the query does:

  1. Data Source: It pulls data from the CloudAppEvents table, specifically looking for URL click events related to threat intelligence (ActionType == "TIUrlClickData").

  2. Filtering: The query filters for events where the workload is "ThreatIntelligence" and the activity type is "Basic".

  3. Data Extraction: It extracts relevant details such as the application name, user account, user IP address, the URL clicked, the action taken on the URL click, and the time of the click.

  4. Focus on Blocked URLs: It specifically looks for cases where the user was blocked from navigating to the URL (UrlClickAction == 2).

  5. Output: The query projects a list of these events, showing which applications and users were involved, along with the URLs and actions taken.

  6. Security Insight: This information can be used to understand the threats faced by the organization's Office 365 applications and to adjust SafeLinks configurations for better protection.

  7. MITRE ATT&CK Mapping: The query aligns with certain MITRE ATT&CK techniques, such as monitoring web protocols, detecting user execution of malicious links, and identifying spearphishing attempts.

In essence, this query helps security teams identify and analyze instances where users are protected from malicious links, providing insights into potential phishing and other cyber threats.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsThreatIntelligenceAppNameUserIdUserIpUrlUrlClickActionTimeOfClickActivityTypeUserOffice365SafeLinksMITREATTACKApplicationProtocolWebExecutionMaliciousLinkPhishingSpearphishing

Operators

CloudAppEvents|where==extendproject

Actions

GitHub