Query Details

Find all the activities that launched a browser to open a URL from a compromised device.

MDE Urls Opened With Outlook From Compromised Device

Query

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where InitiatingProcessFileName == "outlook.exe"
| where RemoteUrl startswith "http"
| project
     TimeGenerated,
     DeviceName,
     RemoteUrl,
     InitiatingProcessFileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath

About this query

Find all the activities that launched a browser to open a URL from a compromised device.

Defender XDR

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where InitiatingProcessFileName == "outlook.exe"
| where RemoteUrl startswith "http"
| project
     Timestamp,
     DeviceName,
     RemoteUrl,
     InitiatingProcessFileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath

Sentinel

Explanation

This query is designed to identify specific activities on a compromised device, specifically when a browser is launched to open a URL. Here's a simplified explanation of what the query does:

  1. Target Device: The query focuses on a device identified as "laptop.contoso.com," which is considered compromised.

  2. Time Frame: It looks at activities that occurred within the last 48 hours. This time frame can be adjusted by changing the SearchWindow variable.

  3. Activity Type: The query filters for events where a browser was launched to open a URL. This is specified by the ActionType being "BrowserLaunchedToOpenUrl."

  4. Initiating Process: It further narrows down the results to instances where the browser was launched by "outlook.exe," indicating that the action was initiated from the Outlook application.

  5. URL Filtering: The query only considers URLs that start with "http," ensuring that it captures standard web links.

  6. Output: The results include details such as the timestamp of the event, the device name, the URL that was opened, the name of the initiating process, the command line used to launch it, and the folder path of the initiating process.

Overall, this query helps in identifying potentially suspicious activities where a browser is opened from Outlook on a compromised device to access web content, which could be indicative of phishing or other malicious activities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceEvents

Keywords

DeviceEventsBrowserUrlProcessCommandLineFolderPath

Operators

letago()|where==startswithproject

Actions

GitHub