KQL Search

Query Details

HomeAI ToolsDevice Query

Onenote Invoking Browser With Smartscreen Alert

Query

# OneNote invoking browser that produced smart screen warning

## Description

A detection rule for OneNote files, invoking browser (inline URL) which produced a smart screen URL warning. Detection has been provided following public discussion with @DhaeyerWolf.

### Microsoft 365 Defender & Microsoft Sentinel
```
DeviceInfo
let Process = DeviceProcessEvents
| where InitiatingProcessFileName contains "onenote.exe"
// Define any other browser files below that may be present in your environment
| where FileName has_any ("firefox.exe","msedge.exe","chrome.exe")
| project Timestamp, DeviceId, DeviceName, AccountDomain, AccountName;
// Joining DeviceEvents table to correlate SmartScreen URL warnings
Process
| join (DeviceEvents
| where ActionType == "SmartScreenUrlWarning"
| project DeviceId, DeviceName, InitiatingProcessAccountUpn, RemoteUrl
) on DeviceId
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 28/02/2022    | Initial publish                        |
| 1.1           | 23/05/2023    | Transformed to template, minor changes |

Explanation

This query is used to detect instances where OneNote files invoke a browser (using an inline URL) that triggers a smart screen warning. It joins the DeviceProcessEvents and DeviceEvents tables to correlate the smart screen URL warnings with the OneNote files. The query also includes a list of other browser files (e.g., Firefox, Microsoft Edge, Chrome) that may be present in the environment. The query has gone through versioning and updates.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceInfoDeviceProcessEventsDeviceEvents

Keywords

OneNote,Browser,SmartScreen,URL,Detection,DeviceInfo,Process,DeviceProcessEvents,InitiatingProcessFileName,onenote.exe,FileName,firefox.exe,msedge.exe,chrome.exe,Timestamp,DeviceId,DeviceName,AccountDomain,AccountName,DeviceEvents,ActionType,SmartScreenUrlWarning,InitiatingProcessAccountUpn,RemoteUrl

Operators

wherecontainshas_anyprojectjoinon

Actions