Forum Discussion

fedecharosky's avatar
fedecharosky
Brass Contributor
Nov 10, 2019

How does NetworkCommunicationsEvents > RemoteURL entity get filled?

Hi team,
 
With WDATP EDR available for Mac I wanted to investigate the RemoteURL field for all Firefox processes, but we don't seem to be capturing that data.
 
NetworkCommunicationEvents
| where InitiatingProcessFileName == "firefox"
| summarize by RemoteURL
 
RemoteIP is correctly filled, but not RemoteURL.
 
Any ideas?
  • Jan Geisbauer's avatar
    Jan Geisbauer
    Brass Contributor

    Hi fedecharosky 

     

    are you sure the process is called "firefox". You are doing a == that means it has to match exactly. Do a NetworkCommunicationEvents without anything else in the query and check what you get back. I bet its more like "firefox.exe" ..

     

    Cheers,

    Jan

    Blog: emptyDC.com | Podcast: HairlessInTheCloud.com

  • _UAEx's avatar
    _UAEx
    Copper Contributor

    fedecharosky Hi ,

     

    If it was encrypted URL it won't be captured as I've observed this issue before, however below query can provide you better context about your inquiry.

    DeviceNetworkEvents
    | where Timestamp > ago(2d)
    | where InitiatingProcessFileName has "firefox"
    | project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine

     

    output

     

    I hope that helps, let me know if you want any further information.

Share

Resources