Forum Discussion

mbhmirc's avatar
mbhmirc
Brass Contributor
May 05, 2020
Solved

URL Blocking incidents and action log

Hello All,   Is there a way when you block a URL in ATP to not to generate an alert or incident.  For example blocking a url where people keep trying it will generate lots of alerts.   If i want to...
  • mbhmirc's avatar
    mbhmirc
    May 07, 2020

    PhilTappUK I was trying to do it from the Alert, not the page.  Just saw you can do it in a better fashion on the page.  Thank you.

_UAEx's avatar
_UAEx
Copper Contributor
May 05, 2020

mbhmirc 

 

Hi,

Based on your question you want to detect mentioned URL accessed and not to block it. (Without generating alerts which cause noise)

from WDATP prospective, It can be achieved if you created "detection rule" in the Advance Hunting

 

USE THE QUERY BELOW TO GENERATE DETECTION RULE (DROPBOX AS EXAMPLE OF IOC FOR TESTING)

// THIS QUERY WILL IDENTIFY IF THERE WAS HIT TO IOC DOMAIN FOR LAST 7 DAYS WITH COUNT OF 3 OR MORE.

 

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "dropbox"
| summarize (Timestamp, ReportId, DeviceName, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteURL, Actiontype)=arg_max(Timestamp, ReportId, DeviceName, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl, ActionType), count() by DeviceId
| where count_ > 3

 

But I will highly recommend to use your company DNS solution or Web Proxy instead for this requirement.

 

To detect the way I see it you can meet your requirement with support of your SIEM.

1- If WDATP Integrated, you can easily create dashboard/reporting for the accessed websites.

2- If not, you can achieve the same with proxy/dns logs.

 

I hope that will help you.

  • mbhmirc's avatar
    mbhmirc
    Brass Contributor
    May 06, 2020

    _UAEx Hello, we would like to block and not generate the alert.  It causes a lot of noise in the dashboard as people keep trying a URL that is blocked.