Forum Discussion
KQL to query web browsing
Hi all!
My customer is looking to use MDATP for web content filtering (combination of web content filtering & CNIs, powered by MCAS (unsanctioned apps) but has a requirement to investigate web browsing (in this example, for a particular device) and return a full URL path. I'm hoping we can achieve this without using a full on proxy solution but I'm struggling to get the information out of MDATP (or MTP).
For example I can use ;
DeviceNetworkEvents
| where DeviceName == "client-name"
| where InitiatingProcessFileName contains "msedge.exe"
| project Timestamp, RemoteUrl, RemoteIP
| sort by Timestamp descbut RemoteURL does not show the full path.
This query does show full paths, but it only appears to work for downloads;
DeviceFileEvents
| where isnotempty(FileOriginUrl) and InitiatingProcessFileName == "msedge.exe" and DeviceName == "client-name"
| project Timestamp, FileName, FileOriginUrl, FileOriginReferrerUrl, SHA1
| sort by Timestamp descI think I'm asking for functionality that doesn't exist, but just wondering if I can get a sanity check or some guidance? Thanks in advance!
2 Replies
- Hi,
I'm looking for the same solution using KQL in Microsoft Defender for Endpoint (MDE)/Azure Sentinel. With the `DeviceNetworkEvents` table, I can retrieve all the history, but the `RemoteUrl` does not show the full path and I get all the URLs, including ads, trackers, and other unwanted URLs.
Any advise for that ?!
Thank you.- Hi,
Same issue for me !
It means I cannot match traffic from the workstation with TI source (like Phishtank or others)
It would be nice to get feedback from MS teams...
Regards,
HA
