KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert A Potentially Malicious URL Click Was Detected

Query

let _URLRegex = toscalar(
    _GetWatchlist('RegEx-SingleRegularExpressions')
    | where UseCase == "Threat Intelligence Indicator URL"
    | project RegEx
);
SecurityAlert
| where AlertName has "A potentially malicious URL click was detected" and ProviderName == "OATP"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    InvestigationAction = tostring(ExtendedProperties["InvestigationName"]),
    URL = tostring(split(tostring(ExtendedProperties["InvestigationName"]), " - ")[1])
| extend Domain = tostring(extract(_URLRegex, 3, URL))
| extend SLD = strcat_array(array_slice(split(Domain, "."), -2, -1), ".")
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    InvestigationActions = make_set(InvestigationAction, 250),
    URLs = make_set(URL, 250),
    Domains = make_set(Domain, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, SLD
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    StartTime,
    EndTime,
    SLD,
    Domains,
    URLs,
    InvestigationActions,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts where a potentially malicious URL click was detected. It then extends the properties of the alert and extracts the domain from the URL. It cleans up the entities and summarizes the data by various fields such as alert name, severity, description, and domain. The final result includes the relevant fields for further analysis.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 31, 2023

Tables

SecurityAlert

Keywords

Keywords:SecurityAlert,AlertName,ProviderName,InvestigationAction,URL,ExtendedProperties,Domain,SLD,Entities,TimeGenerated,StartTime,EndTime,InvestigationActions,URLs,Domains,AlertLinks,RemediationSteps,Tactics,Techniques,Description

Operators

| whereand==| projectextendtostringsplitextractstrcat_arrayreplace_regexsummarizeminmaxmake_settake_anybyproject

Actions