Forum Discussion

Ravi575's avatar
Ravi575
Copper Contributor
Mar 20, 2025

Investigating ASR Alert: Tracing the Source URL for C&C Activity

Hello everyone

I encountered an alert in Microsoft Defender indicating that a URL was blocked as a Command and Control activity. While investigating, I noticed multiple URLs accessed prior to the flagged one, including ad traffic. However, I am unable to identify the source URL that triggered this activity.

Could anyone suggest advance hunting queries or any other investigative approaches to help trace the Source URL?  I am particularly interested in methods to correlate this URL with preceding network events or processes.

Thanks

investigation
microsoft defender for endpoint

2 Replies

  • duliprb's avatar
    duliprb
    MCT
    Mar 24, 2025

    Hi Ravi575 have you checked on the attack story, you should be able to find easy, if any help needed paste screenshot here, hide information as required.

  • caferorman's avatar
    caferorman
    Copper Contributor
    Mar 24, 2025

    Can you include a screen grab of the alert or any other relevant information?

Resources