Forum Discussion
How does NetworkCommunicationsEvents > RemoteURL entity get filled?
Hi team, With WDATP EDR available for Mac I wanted to investigate the RemoteURL field for all Firefox processes, but we don't seem to be capturing that data. NetworkCommunicationEvents | w...
fedecharosky Hi ,
If it was encrypted URL it won't be captured as I've observed this issue before, however below query can provide you better context about your inquiry.
DeviceNetworkEvents
| where Timestamp > ago(2d)
| where InitiatingProcessFileName has "firefox"
| project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
output
I hope that helps, let me know if you want any further information.