Forum Discussion

JurriaanvD's avatar
JurriaanvD
Copper Contributor
Jun 03, 2025
Solved

Indicators added for URL with setting 'Audit'. But where can I review those?

Was asked to put a few domains on a watchlist to see how often they're actually requested from endpoints in our organization.  Went to Defender, Settings, Endpoints, Indicators, and added the domain...
  • cssns's avatar
    cssns
    Jun 09, 2025

    You may do a KQL search, enter the domain name and select your search scope. 

     

    let url = "domain";
    search in (EmailUrlInfo,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceEvents,BehaviorEntities)
    Timestamp between (ago(1d) .. now())
    and (RemoteUrl has url
    or FileOriginUrl has url
    or FileOriginReferrerUrl has url
    or Url has url
    )
    | take 100

cssns's avatar
cssns
Brass Contributor
Jun 09, 2025

You may do a KQL search, enter the domain name and select your search scope. 

 

let url = "domain";
search in (EmailUrlInfo,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceEvents,BehaviorEntities)
Timestamp between (ago(1d) .. now())
and (RemoteUrl has url
or FileOriginUrl has url
or FileOriginReferrerUrl has url
or Url has url
)
| take 100

Resources