Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

Commit 055c1f0

Browse files
tali-ashtali-ash
authored
Update SuspiciousUrlClicked.md
1 parent 9ef093f commit 055c1f0

File tree

1 file changed

+6
-11
lines changed

1 file changed

+6
-11
lines changed

Initial access/SuspiciousUrlClicked.md

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,6 @@ This event reflects relevant clicks on the malicious URL in the spear-phishing e
99
```
1010
// Some URL are wrapped with a safelink
1111
// Let's get the the unwrapped url and clicks
12-
let GetCompareableUrl = (arg0:string )
13-
{
14-
let parsedUrl = parse_url(arg0);
15-
let UrlFromQueryParams = url_decode(tostring(parsedUrl["QueryParameters"].url));
16-
coalesce(UrlFromQueryParams, arg0)
17-
};
1812
AlertInfo
1913
| where ServiceSource == "Office 365 ATP"
2014
| join (
@@ -32,7 +26,7 @@ AlertInfo
3226
// Get the unique NetworkMessageId for the email containing the Url
3327
| distinct RemoteUrl, NetworkMessageId
3428
| join EmailEvents on NetworkMessageId
35-
// get the email RecipientEmailAddress and ObjectId from the email
29+
// Get the email RecipientEmailAddress and ObjectId from the email
3630
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId
3731
| join kind = inner IdentityInfo on $left.RecipientObjectId == $right.AccountObjectId
3832
// get the UserSid of the Recipient
@@ -41,12 +35,13 @@ AlertInfo
4135
| join kind = inner
4236
(DeviceEvents
4337
| where ActionType == "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl)
44-
| extend UrlDeviceClickTime = Timestamp |extend UrlClickedByUserSid = GetCompareableUrl(RemoteUrl)
38+
| project UrlDeviceClickTime = Timestamp , UrlClickedByUserSid = RemoteUrl,
39+
InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName
4540
)
4641
on $left.OnPremSid == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid
47-
| distinct UrlDeviceClickTime, RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, OnPremSid, UrlClickedByUserSid, DeviceName, DeviceId,
48-
InitiatingProcessFileName
49-
| sort by UrlDeviceClickTime desc
42+
| distinct UrlDeviceClickTime, RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,
43+
OnPremSid, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName
44+
| sort by UrlDeviceClickTime desc
5045
```
5146
## Category
5247

0 commit comments

Comments
 (0)