Find all the activities that launched a browser to open a URL from a compromised device.
MDE Urls Opened With Outlook From Compromised Device
Query
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where InitiatingProcessFileName == "outlook.exe"
| where RemoteUrl startswith "http"
| project
TimeGenerated,
DeviceName,
RemoteUrl,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPathAbout this query
Find all the activities that launched a browser to open a URL from a compromised device.
Defender XDR
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where InitiatingProcessFileName == "outlook.exe"
| where RemoteUrl startswith "http"
| project
Timestamp,
DeviceName,
RemoteUrl,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPath
Sentinel
Explanation
This query is designed to identify specific activities on a compromised device, specifically when a browser is launched to open a URL. Here's a simplified explanation of what the query does:
-
Target Device: The query focuses on a device identified as "laptop.contoso.com," which is considered compromised.
-
Time Frame: It looks at activities that occurred within the last 48 hours. This time frame can be adjusted by changing the
SearchWindowvariable. -
Activity Type: The query filters for events where a browser was launched to open a URL. This is specified by the
ActionTypebeing "BrowserLaunchedToOpenUrl." -
Initiating Process: It further narrows down the results to instances where the browser was launched by "outlook.exe," indicating that the action was initiated from the Outlook application.
-
URL Filtering: The query only considers URLs that start with "http," ensuring that it captures standard web links.
-
Output: The results include details such as the timestamp of the event, the device name, the URL that was opened, the name of the initiating process, the command line used to launch it, and the folder path of the initiating process.
Overall, this query helps in identifying potentially suspicious activities where a browser is opened from Outlook on a compromised device to access web content, which could be indicative of phishing or other malicious activities.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators