Query Details
MDE Browser Launched To Open Url By Compromised Device
Query
# Find all the activities that launched a browser to open a URL from a compromised device.
### Defender For Endpoint
```
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl startswith "http"
| project
Timestamp,
DeviceName,
RemoteUrl,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPath
```
### Sentinel
```
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl startswith "http"
| project
TimeGenerated,
DeviceName,
RemoteUrl,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPath
```
Explanation
The query is searching for activities where a browser was launched on a compromised device to open a URL. It looks for events within a specified time window, filters by the compromised device, and checks for the specific action of a browser being launched to open a URL. It also includes additional information such as the timestamp, device name, remote URL, and details about the initiating process.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
DeviceEvents
Keywords
Activities,BrowserLaunchedToOpenUrl,URL,CompromisedDevice,DefenderForEndpoint,Sentinel,DeviceEvents,Timestamp,DeviceName,RemoteUrl,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessFolderPath,TimeGenerated
Operators
|let="laptop.contoso.com"48hagoDeviceEventswhereTimestamp>ago(SearchWindow)DeviceName==CompromisedDeviceActionType=="BrowserLaunchedToOpenUrl"RemoteUrlstartswith"http"projectTimestampDeviceNameRemoteUrlInitiatingProcessFileNameInitiatingProcessCommandLineInitiatingProcessFolderPath