Query Details
Security Alert Potential Phishing Domain Communication
Query
//When Defender for Cloud detects communication with a possible phishing domain, use Defedner logs to find any network connections to that same domain
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
//Data connector required for this query - M365 Defender - Device* tables
let domain=
SecurityAlert
| where TimeGenerated > ago (7d)
| where AlertName startswith "Communication with possible phishing domain"
| mv-expand todynamic(Entities)
| extend DomainName = tostring(Entities.DomainName)
| where isnotempty(DomainName)
| distinct DomainName;
DeviceNetworkEvents
| where TimeGenerated > ago (7d)
| where RemoteUrl in~ (domain)
| project
TimeGenerated,
ActionType,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemoteUrl,
RemotePortExplanation
This query is used to find network connections to a possible phishing domain detected by Defender for Cloud. It uses Defender logs and requires two data connectors - Security Alert and M365 Defender - Device* tables.
The query first identifies the domain by filtering SecurityAlert data for alerts related to possible phishing domains in the past 7 days. It then expands the Entities column and extracts the DomainName.
Next, it searches the DeviceNetworkEvents data for network events in the past 7 days where the RemoteUrl matches any of the identified domains. It projects various fields such as TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, LocalIP, RemoteIP, RemoteUrl, and RemotePort.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators