Forum Discussion
Solved
Indicators added for URL with setting 'Audit'. But where can I review those?
Was asked to put a few domains on a watchlist to see how often they're actually requested from endpoints in our organization.
Went to Defender, Settings, Endpoints, Indicators, and added the domains there with the action set to 'audit'.
I figured I should be able to review something in the Audit logs of Defender itself, but all I see there are the actions I did when adding the URLs to the indicator list.
Anyone have any idea where I can review the usage of those websites I've set to audit, so we can determine if it's feasable to shut them down or not?
You may do a KQL search, enter the domain name and select your search scope.
let url = "domain";
search in (EmailUrlInfo,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceEvents,BehaviorEntities)
Timestamp between (ago(1d) .. now())
and (RemoteUrl has url
or FileOriginUrl has url
or FileOriginReferrerUrl has url
or Url has url
)
| take 100
2 Replies
While I would expect it to a be a bit more intuitive than run to KQL (which I've rarely used), with a bit of tinkering that query did yield some results. Thanks :)
You may do a KQL search, enter the domain name and select your search scope.
let url = "domain";
search in (EmailUrlInfo,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceEvents,BehaviorEntities)
Timestamp between (ago(1d) .. now())
and (RemoteUrl has url
or FileOriginUrl has url
or FileOriginReferrerUrl has url
or Url has url
)
| take 100
