Forum Discussion

JurriaanvD's avatar
JurriaanvD
Copper Contributor
Jun 03, 2025
Solved

Indicators added for URL with setting 'Audit'. But where can I review those?

Was asked to put a few domains on a watchlist to see how often they're actually requested from endpoints in our organization.  Went to Defender, Settings, Endpoints, Indicators, and added the domain...
  • cssns's avatar
    cssns
    Jun 09, 2025

    You may do a KQL search, enter the domain name and select your search scope. 

     

    let url = "domain";
    search in (EmailUrlInfo,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceEvents,BehaviorEntities)
    Timestamp between (ago(1d) .. now())
    and (RemoteUrl has url
    or FileOriginUrl has url
    or FileOriginReferrerUrl has url
    or Url has url
    )
    | take 100

JurriaanvD's avatar
JurriaanvD
Copper Contributor
Jun 10, 2025

While I would expect it to a be a bit more intuitive than run to KQL (which I've rarely used), with a bit of tinkering that query did yield some results. Thanks :) 

Resources