Query Details
Url Click Events To Open Phish URL
Query
//This Query detects UrlClickEvents to URLs listed on OpenPhish Database followed by a risky sign in to this Account //Recommended Action: Mark User as Compromised let OpenPhish = externaldata (Url: string) ["https://openphish.com/feed.txt"]; UrlClickEvents | join kind=inner OpenPhish on $left.Url == $right.Url | project Timestamp, AccountUpn, Url | join kind=inner AADSignInEventsBeta on $left.AccountUpn == $right.AccountUpn | where Timestamp > Timestamp1 | where isnotempty(RiskLevelDuringSignIn)
Explanation
This query is designed to identify potentially compromised user accounts by detecting two specific events:
-
URL Click Events: It first checks for instances where users have clicked on URLs that are listed in the OpenPhish database, which is a known source of phishing URLs.
-
Risky Sign-Ins: It then looks for any risky sign-in events associated with the same user accounts that clicked on the phishing URLs.
Here's a step-by-step breakdown of what the query does:
-
Load OpenPhish Data: It imports a list of phishing URLs from the OpenPhish database.
-
Identify Phishing URL Clicks: It checks for URL click events where the clicked URL matches one from the OpenPhish list.
-
Project Relevant Data: It extracts the timestamp, user account (AccountUpn), and URL from these events.
-
Join with Sign-In Events: It joins this data with Azure Active Directory (AAD) sign-in events to find corresponding sign-ins by the same user accounts.
-
Filter for Risky Sign-Ins: It filters the results to include only those sign-in events that occurred after a certain timestamp (Timestamp1) and have a non-empty risk level, indicating a potentially risky sign-in.
Recommended Action: If such events are detected, the user account should be marked as compromised for further investigation or action.
Details
Benjamin Zulliger
Released: November 10, 2024
Tables
Keywords
Operators