Query Details

Find all the activities that launched a browser to open a URL from a compromised device.

MDE Browser Launched To Open Url By Compromised Device

Query

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl startswith "http"
| project
     TimeGenerated,
     DeviceName,
     RemoteUrl,
     InitiatingProcessFileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath

About this query

Find all the activities that launched a browser to open a URL from a compromised device.

Defender XDR

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl startswith "http"
| project
     Timestamp,
     DeviceName,
     RemoteUrl,
     InitiatingProcessFileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath

Sentinel

Explanation

This query is designed to identify and list all instances where a browser was launched to open a URL from a specific compromised device, within a specified time frame. Here's a simple breakdown of what each part of the query does:

  1. Compromised Device: The query focuses on a device identified as compromised, specifically "laptop.contoso.com".

  2. Search Window: It looks at events that occurred within the last 48 hours. This time frame can be adjusted as needed.

  3. Data Source: The query pulls data from the DeviceEvents table.

  4. Filters Applied:

    • It only considers events where the action was a browser being launched to open a URL (ActionType == "BrowserLaunchedToOpenUrl").
    • It ensures the URL starts with "http", indicating a web address.
  5. Output: The query extracts and displays the following details for each relevant event:

    • The time the event occurred (Timestamp or TimeGenerated).
    • The name of the device (DeviceName).
    • The URL that was opened (RemoteUrl).
    • Information about the process that initiated the browser launch, including:
      • The file name of the initiating process (InitiatingProcessFileName).
      • The command line used to start the process (InitiatingProcessCommandLine).
      • The folder path of the initiating process (InitiatingProcessFolderPath).

The query is structured similarly for both Defender XDR and Sentinel, with minor differences in the timestamp field name (Timestamp vs. TimeGenerated).

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceEvents

Keywords

DeviceEventsTimestampNameActionTypeRemoteUrlInitiatingProcessFileCommandLineFolderPath

Operators

letwhereagostartswithproject

Actions

GitHub