Query Details
MDE Urls Opened With Outlook From Compromised Device
Query
# Find all the activities that launched a browser to open a URL from a compromised device.
### Defender For Endpoint
```
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where InitiatingProcessFileName == "outlook.exe"
| where RemoteUrl startswith "http"
| project
Timestamp,
DeviceName,
RemoteUrl,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPath
```
### Sentinel
```
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where InitiatingProcessFileName == "outlook.exe"
| where RemoteUrl startswith "http"
| project
TimeGenerated,
DeviceName,
RemoteUrl,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPath
```
Explanation
The query is searching for activities where a browser was launched to open a URL from a compromised device. It filters the results based on the device name, action type, initiating process file name, and the URL starting with "http". The query also projects specific fields such as timestamp, device name, remote URL, initiating process file name, initiating process command line, and initiating process folder path.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
DeviceEvents
Keywords
Devices,Intune,User
Operators
|let=",";//agowhere|projectTimestampDeviceNameRemoteUrlInitiatingProcessFileNameInitiatingProcessCommandLineInitiatingProcessFolderPathstartswith