Query Details
Security Alert Visualize Top Phishing Domains
Query
//Visualize the most popular weaponized domains in the phishing emails your users receive
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where TimeGenerated > ago(365d)
| where ProviderName == "OATP"
| where AlertName in ("Email messages containing malicious URL removed after delivery","Email messages containing phish URLs removed after delivery")
| mv-expand todynamic(Entities)
| extend MaliciousURL = tostring(Entities.Url)
| project MaliciousURL
| parse-where MaliciousURL with * "//" ['Malicious Domain'] "/" *
| summarize Count=count() by ['Malicious Domain']
| sort by Count desc
| render barchart
Explanation
This query analyzes the phishing emails received by users and identifies the most popular weaponized domains used in these emails. It uses the Security Alert data connector and filters the data based on specific criteria such as the provider name and alert names related to malicious URLs and phishing. The query then expands the entities, extracts the malicious URLs, and parses them to extract the malicious domain. Finally, it summarizes the count of occurrences for each malicious domain and presents the results in a bar chart.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
SecurityAlert,TimeGenerated,ProviderName,AlertName,Entities,Url,MaliciousURL,MaliciousDomain,Count
Operators
where>ago==inmv-expandtodynamicextendtostringprojectparse-wherewith*/summarizecount()bysort bydescrender