Forum Discussion
Advanced Hunting - Defender for Endpoint
I would like to know how I do a Hunting to identify a machine and which user accessed certain URLs on that device. I know that Sentinel could bring this type of information, but I would like to do this through hunting in Defender for Endpoint and I would like to know what the query would look like to bring this type of information.
3 Replies
- Hi Diego you need something like this.
DeviceNetworkEvents
| where RemoteUrl == "http://www.badurl.com"
| project Timestamp, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine- In fact, what I was looking for would be this:
I already found it, thanks for sharing and helping.
To collect information from all devices:
DeviceNetworkEvents
| project DeviceName, Timestamp, RemoteUrl, ActionType, Protocol, RemoteIP, RemotePort
| order by Timestamp desc
To collect information from specific devices:
let DeviceName = "Your_Device_Name"; Replace with the name of the specific device you want to investigate
DeviceNetworkEvents
| where DeviceName == DeviceName
| project DeviceName, Timestamp, RemoteUrl, ActionType, Protocol, RemoteIP, RemotePort
| order by Timestamp desc- Happy hunting 🙂
