Can you help me in this query

%3CLINGO-SUB%20id%3D%22lingo-sub-1562414%22%20slang%3D%22en-US%22%3ECan%20you%20help%20me%20in%20this%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1562414%22%20slang%3D%22en-US%22%3Elet%20minTimeRange%20%3D%20ago(7d)%3B%3CBR%20%2F%3Elet%20outlookLinks%20%3D%3CBR%20%2F%3EDeviceEvents%3CBR%20%2F%3E%7C%20where%20Timestamp%20%26gt%3B%20minTimeRange%20and%20ActionType%20%3D%3D%20%22BrowserLaunchedToOpenUrl%22%20and%3CBR%20%2F%3Eisnotempty(RemoteUrl)%3CBR%20%2F%3E%7C%20where%3CBR%20%2F%3EInitiatingProcessFileName%20%3D~%20%22outlook.exe%22%3CBR%20%2F%3Eor%20InitiatingProcessFileName%20%3D~%20%22runtimebroker.exe%22%3CBR%20%2F%3E%7C%20project%20Timestamp%20%2C%20DeviceId%20%2C%20DeviceName%20%2C%20RemoteUrl%2C%20InitiatingProcessFileName%2C%3CBR%20%2F%3EParsedUrl%3Dparse_url(RemoteUrl)%3CBR%20%2F%3E%7C%20extend%20WasOutlookSafeLink%3D(tostring(%3CA%20href%3D%22http%3A%2F%2FParsedUrl.Host%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2FParsedUrl.Host%3C%2FA%3E)%20endswith%20%22%3CA%20href%3D%22http%3A%2F%2Fsafelinks.protection.outlook.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fsafelinks.protection.outlook.com%3C%2FA%3E%22)%3CBR%20%2F%3E%7C%20project%20Timestamp%20%2C%20DeviceId%2C%20DeviceName%20%2C%20WasOutlookSafeLink%2C%3CBR%20%2F%3EInitiatingProcessFileName%2C%3CBR%20%2F%3EOpenedLink%3Diff(WasOutlookSafeLink%2C%20url_decode(tostring(ParsedUrl%5B%22QueryParameters%22%5D%5B%22url%22%5D))%2C%20RemoteUrl)%3B%3CBR%20%2F%3Elet%20alerts%20%3D%3CBR%20%2F%3EAlertInfo%3CBR%20%2F%3E%7C%20summarize%20(FirstDetectedActivity%2C%20Title)%3Dargmin(Timestamp%2CTitle)%20by%20AlertId%2C%3CBR%20%2F%3E%7C%20where%20FirstDetectedActivity%20%26gt%3B%20minTimeRange%3B%3CBR%20%2F%3Ealerts%3CBR%20%2F%3E%7C%20join%20kind%3Dinner%20(outlookLinks)%20on%20DeviceId%3CBR%20%2F%3E%7C%20where%20FirstDetectedActivity%20-%3CBR%20%2F%3ETimestamp%20between%20(0min..3min)%3CBR%20%2F%3E%7C%20summarize%20FirstDetectedActivity%3Dmin(FirstDetectedActivity)%2C%3CBR%20%2F%3EAlertTitles%3Dmakeset(Title)%20by%20OpenedLink%2C%20InitiatingProcessFileName%2C%3CBR%20%2F%3EEventTime%3Dbin(Timestamp%2C%201tick)%2C%20DeviceName%2C%20DeviceId%20%2C%20WasOutlookSafeLink%3CBR%20%2F%3E%3CBR%20%2F%3Elinks%20opened%20from%20outlook.exe%2C%20followed%20by%20warning%20that%20was%20ignored%20by%20the%20user.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1563173%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20you%20help%20me%20in%20this%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1563173%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634376%22%20target%3D%22_blank%22%3E%40Shviam%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20parsing%20the%20Safe%20Links%20urls%20for%20you%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETherefore%20in%20the%20first%20part%20of%20the%20query%2C%20you%20don't%20need%20to%20parse%20the%20url%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIn%20the%20column%20RemoteUrl%20we%20are%20giving%20you%20the%20actual%20target%20url%2C%20that%20in%20case%20of%20Safe%20Links%20is%20%22behind%22%20the%20Safe%20Links%20url.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EIn%20AdditionalFields%20you%20will%20have%20the%20Safe%20link%20complete%20url%2C%20in%20case%20this%20link%20was%20a%20Safe%20Links%20url.%20Using%3A%26nbsp%3B%26nbsp%3B%7C%20extend%20SafeLinksUrl%20%3D%20tostring(parse_json(AdditionalFields)%5B%22SafeLinksUrl%22%5D)%2C%20you%20can%20extract%20it%20and%20get%20the%20complete%20url.%20In%20case%20the%20url%20was%20not%20a%20Safe%20Links%2C%26nbsp%3BSafeLinksUrl%26nbsp%3B%20will%20be%20null.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAn%20example%20%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorTali%20Ash_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22safelinks.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F210032i3E67543F95F52E5D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22safelinks.png%22%20alt%3D%22safelinks.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EI%20adjusted%20this%20part%20of%20the%20query%20a%20bit%20and%20it%20is%20working%20now%3A%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Elet%20outlookLinks%20%3D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EDeviceEvents%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20where%20Timestamp%20%26gt%3B%20minTimeRange%20and%20ActionType%20%3D%3D%20%22BrowserLaunchedToOpenUrl%22%20and%20isnotempty(RemoteUrl)%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20where%20InitiatingProcessFileName%20%3D~%20%22outlook.exe%22%20or%20InitiatingProcessFileName%20%3D~%20%22runtimebroker.exe%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%7C%20extend%20SafeLinksUrl%20%3D%20tostring(parse_json(AdditionalFields)%5B%22SafeLinksUrl%22%5D)%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20project%20Timestamp%20%2C%20DeviceId%20%2C%20DeviceName%20%2C%20OpenedLink%20%3D%20RemoteUrl%2C%20InitiatingProcessFileName%2C%20SafeLinksUrl%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EI%20was%20not%20sure%20what%20you%20were%20trying%20to%20do%20with%20alerts%3F%20If%20you%20can%20please%20clarify%20I%20can%20help%20with%20the%20rest%20of%20the%20query.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EThanks%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ETali%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1566325%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20you%20help%20me%20in%20this%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1566325%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3EThanks%20a%20lot%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20create%20an%20analytic%20rule%20for%20which%20user%20clicked%20on%20the%20malicious%20link%20and%20they%20got%20the%20warning%20sign%22%20The%20URL%20is%20in%20an%20email%20message%20that%20seems%20similar%20to%20other%20email%20messages%20that%20are%20considered%20suspicious.%20We%20recommend%20that%20you%20double-check%20the%20email%20message%20before%20proceeding%20to%20the%20site.%22%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fatp-safe-links-warning-pages%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fatp-safe-links-warning-pages%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1570763%22%20slang%3D%22en-US%22%3ERE%3A%20Can%20you%20help%20me%20in%20this%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1570763%22%20slang%3D%22en-US%22%3EWe%20are%20working%20to%20onboard%20url%20clicks%20data%20from%20Office365%20into%20advanced%20hunting%2C%20so%20you%20will%20be%20able%20to%20see%20if%20a%20url%20was%20clicked%20and%20the%20verdict%20of%20the%20url%20at%20the%20time%20of%20the%20click.%20Thanks%2C%20Tali%3C%2FLINGO-BODY%3E
New Contributor
let minTimeRange = ago(7d);
let outlookLinks =
DeviceEvents
| where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and
isnotempty(RemoteUrl)
| where
InitiatingProcessFileName =~ "outlook.exe"
or InitiatingProcessFileName =~ "runtimebroker.exe"
| project Timestamp , DeviceId , DeviceName , RemoteUrl, InitiatingProcessFileName,
ParsedUrl=parse_url(RemoteUrl)
| extend WasOutlookSafeLink=(tostring(http://ParsedUrl.Host) endswith "http://safelinks.protection.outlook.com")
| project Timestamp , DeviceId, DeviceName , WasOutlookSafeLink,
InitiatingProcessFileName,
OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["QueryParameters"]["url"])), RemoteUrl);
let alerts =
AlertInfo
| summarize (FirstDetectedActivity, Title)=argmin(Timestamp,Title) by AlertId,
| where FirstDetectedActivity > minTimeRange;
alerts
| join kind=inner (outlookLinks) on DeviceId
| where FirstDetectedActivity -
Timestamp between (0min..3min)
| summarize FirstDetectedActivity=min(FirstDetectedActivity),
AlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName,
EventTime=bin(Timestamp, 1tick), DeviceName, DeviceId , WasOutlookSafeLink

links opened from outlook.exe, followed by warning that was ignored by the user.

3 Replies

Hello @Shviam ,

 

We are parsing the Safe Links urls for you :smile:

 

Therefore in the first part of the query, you don't need to parse the url:

  • In the column RemoteUrl we are giving you the actual target url, that in case of Safe Links is "behind" the Safe Links url. 
  • In AdditionalFields you will have the Safe link complete url, in case this link was a Safe Links url. Using:  | extend SafeLinksUrl = tostring(parse_json(AdditionalFields)["SafeLinksUrl"]), you can extract it and get the complete url. In case the url was not a Safe Links, SafeLinksUrl  will be null.

An example :

 

safelinks.png

 
I adjusted this part of the query a bit and it is working now:
 
let outlookLinks =
DeviceEvents
| where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl)
| where InitiatingProcessFileName =~ "outlook.exe" or InitiatingProcessFileName =~ "runtimebroker.exe"
| extend SafeLinksUrl = tostring(parse_json(AdditionalFields)["SafeLinksUrl"])
| project Timestamp , DeviceId , DeviceName , OpenedLink = RemoteUrl, InitiatingProcessFileName, SafeLinksUrl;
 
I was not sure what you were trying to do with alerts? If you can please clarify I can help with the rest of the query.
 
Thanks,
Tali 

@Tali AshThanks a lot

 

I'm trying to create an analytic rule for which user clicked on the malicious link and they got the warning sign" The URL is in an email message that seems similar to other email messages that are considered suspicious. We recommend that you double-check the email message before proceeding to the site."

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links-warning-p...

 

We are working to onboard url clicks data from Office365 into advanced hunting, so you will be able to see if a url was clicked and the verdict of the url at the time of the click. Thanks, Tali