KQL Search

Query Details

Phish Link Clickers

Query

//--- enter the FQDN of the phishing url below ---//
let phishingDomain = "";
let allowedClicks = DeviceNetworkEvents
| where RemoteUrl contains phishingDomain
| distinct DeviceName
| extend BlockedStatus="No";
DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl contains phishingDomain
| extend User=InitiatingProcessAccountUpn
| summarize Clicks=count() by DeviceName, User
| join kind=leftouter allowedClicks on DeviceName
| extend Blocked = iff(BlockedStatus=="", "Yes", "No")
| project User, Clicks, Blocked, DeviceName
| sort by Blocked asc, Clicks desc

Explanation

This query is looking for instances where a phishing URL is accessed on devices. It counts the number of times the URL is clicked by each user on each device and determines if the URL is blocked or not. The results are then sorted by the blocked status and the number of clicks in descending order.

Details

C.J. May

Released: January 3, 2022

Tables

DeviceNetworkEventsDeviceEvents

Keywords

Devices,Intune,User

Operators

letwherecontainsdistinctextendsummarizejoinkindiffprojectsortbyascdesc

KQL Search

Phish Link Clickers

Query

Explanation

Details

Actions