Forum Discussion
- Jan GeisbauerBrass Contributor
Hi fedecharosky
are you sure the process is called "firefox". You are doing a == that means it has to match exactly. Do a NetworkCommunicationEvents without anything else in the query and check what you get back. I bet its more like "firefox.exe" ..
Cheers,
Jan
Blog: emptyDC.com | Podcast: HairlessInTheCloud.com
- Billy_1Copper Contributor
Jan Geisbauer Is there a dictionary that describes the source for each fields value?
- _UAExCopper Contributor
fedecharosky Hi ,
If it was encrypted URL it won't be captured as I've observed this issue before, however below query can provide you better context about your inquiry.
DeviceNetworkEvents | where Timestamp > ago(2d) | where InitiatingProcessFileName has "firefox" | project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
output
I hope that helps, let me know if you want any further information.