Query Details
MDA Blocks By Application And URL
Query
DeviceEvents
| where TimeGenerated > ago(90d)
| where (ActionType == "SmartScreenUrlWarning" and AdditionalFields.Experience == "CustomBlockList") or (AdditionalFields.ResponseCategory == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
| where tostring(AdditionalFields.DisplayName) has "appName" or isnotempty(tostring(AdditionalFields.ApplicationName))
| extend Application = iff(tostring(AdditionalFields.DisplayName) has "appName",replace_string((tostring(AdditionalFields.DisplayName)),@"appName=",""), (AdditionalFields.ApplicationName))
| extend Application= replace('"', '', Application)
| summarize BlockedURls = make_list(RemoteUrl) by Application
Explanation
This KQL query is designed to analyze device events related to security warnings and blocks. Here's a simplified breakdown of what it does:
-
Time Filter: It looks at events generated in the last 90 days.
-
Event Type Filter: It focuses on two specific types of events:
- "SmartScreenUrlWarning" events where the experience is "CustomBlockList".
- "ExploitGuardNetworkProtectionBlocked" events where the response category is "CustomBlockList".
-
Application Identification: It checks if the event's additional fields contain a display name with "appName" or if the application name field is not empty.
-
Application Name Extraction:
- If "appName" is found in the display name, it extracts and cleans up the application name by removing the "appName=" prefix.
- If not, it uses the application name from the additional fields.
-
Data Cleaning: It removes any quotation marks from the application names.
-
Summarization: It groups the events by application and creates a list of all URLs that were blocked for each application.
In summary, this query identifies and lists URLs blocked by security features for specific applications over the past 90 days, focusing on custom block lists.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators