Direct Link to Threat Explorer Results

%3CLINGO-SUB%20id%3D%22lingo-sub-1349344%22%20slang%3D%22de-DE%22%3EDirect%20Link%20to%20Threat%20Explorer%20Results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1349344%22%20slang%3D%22de-DE%22%3E%3CP%3EDear%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20working%20in%20Cyber%20Security%20Operations%20Center.%20In%20our%20daily%20work%20we%20need%20to%20investigate%20O365%20alerts.%20What%20we%20currently%20have%20is%20a%20link%20to%20the%20Azure%20Security%20Portal%20(AppSecurityPortal)%2C%20but%20there%20are%20no%20detailed%20information%20about%20a%20detected%20phishing%20are%20malware%20mail%20like.%20Therefore%20we%20would%20like%20to%20use%20a%20direct%20link%20to%20%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%3C%2FA%3E%20instead.%20So%20far%20I%20know%20from%20the%20raw%20date%20on%20the%20AppSecurityPortal%20is%20that%20a%20direct%20link%20to%20specific%20message%20is%20possible%20via%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22EventDeepLink%22%3A%20%22%3CA%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Fprotection.office.com%2F%3Fhash%3D%2Fthreatexplorer%3FmessageParams%3D%3CID%3E%2C2020-04-29T00%3A00%3A00%2C2020-04-29T23%3A59%3A59%26amp%3Bview%3DPhish%3C%2FID%3E%3C%2FA%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20what%20we%20use%20in%20investigation%20is%20for%20example%20a%20direct%20link%20to%20get%20the%20result%20for%20e.g.%20all%20mails%20with%20a%20specific%20subject%20or%20from%20a%20specific%20sender.%20I%20know%20we%20can%20do%20it%20manually%20via%20the%20website%2C%20but%20a%20direct%20link%20placed%20in%20our%20internal%20ticketing%20system%20would%20help%20our%20analysts%20to%20speed%20up%20the%20investigation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20you%20know%20how%20i%20can%20handover%20parameters%20in%20URL%20in%20order%20to%20start%20directly%20a%20search%20like%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%20we%20would%20like%20to%20know%20the%20same%20for%20the%20CloudAppSecurityPortal%20Activity%20Log%3A%3C%2FP%3E%3CP%3Ewe%20know%20that%20we%20can%20directly%20jump%20to%20all%20activities%20related%20to%20a%20specific%20IP%20with%20the%20following%3A%3C%2FP%3E%3CP%3E%3CA%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2F%3CCOMPANYNAME%3E.portal.cloudappsecurity.com%2F%23%2Faudits%3Fip.address%3Deq(%3CIP%3E%2C)%3C%2FIP%3E%20%3C%2FCOMPANYNAME%3E%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20we%20would%20also%20like%20to%20know%20here%20how%20to%20search%20directly%20for%20specific%20user%20or%20mail%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20your%20help!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EImmanuel%20Peschen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1349344%22%20slang%3D%22de-DE%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1354823%22%20slang%3D%22en-US%22%3ERe%3A%20Direct%20Link%20to%20Threat%20Explorer%20Results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354823%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F642645%22%20target%3D%22_blank%22%3E%40immanuelpeschenthyssenkruppcom%3C%2FA%3E%26nbsp%3Byou%20should%20take%20a%20look%20at%20the%20Graph%20API.%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20connector%20in%20Power%20Automate%20for%20that.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fflow.microsoft.com%2Fen-us%2Fconnectors%2Fshared_microsoftgraphsecurity%2Fmicrosoft-graph-security%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fflow.microsoft.com%2Fen-us%2Fconnectors%2Fshared_microsoftgraphsecurity%2Fmicrosoft-graph-security%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Falert%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Falert%3Fview%3Dgraph-rest-beta%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1357404%22%20slang%3D%22de-DE%22%3ERe%3A%20Direct%20Link%20to%20Threat%20Explorer%20Results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357404%22%20slang%3D%22de-DE%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F470541%22%20target%3D%22_blank%22%3E%40JanBakker330%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20reply.%20I%20will%20give%20it%20a%20chance%20to%20use.%20Hopefully%20there%20is%20no%20limitation%20to%20the%20information%20we%20are%20able%20to%20pull%20and%20license%20works%20fine.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Dear community,

 

I'm working in Cyber Security Operations Center. In our daily work we need to investigate O365 alerts. What we currently just have is a link to the Azure Security Portal (AppSecurityPortal), but there are no detailed information about a detected phishing are malware mail like. Therefore we would like to use a direct link to https://protection.office.com instead. So far I know from the raw date on the AppSecurityPortal is that a direct link to specific message is possible via

 

"EventDeepLink": "https://protection.office.com/?hash=/threatexplorer?messageParams=<id>,2020-04-29T00:00:00,2020-04-2..."

 

But what we use in investigation is for example a direct link to get the result for e.g. all mails with a specific subject or from a specific sender. I know we can do it manually via the website, but a direct link placed in our internal ticketing system would help our analysts to speed up the investigation.

 

Maybe you know how i can handover parameters in URL in order to start directly a search like this.

 

In addition we would like to know the same for the CloudAppSecurityPortal Activity Log:

we know that we can directly jump to all activities related to a specific IP with the following:

https://<companyname>.portal.cloudappsecurity.com/#/audits?ip.address=eq(<ip>,)

 

But we would also like to know here how to search directly for specific user or mail address.

 

Many thanks for your help!

 

Regards

Immanuel Peschen

2 Replies

@JanBakkerOrphaned Thanks for your reply. I will give it a chance to use. Hopefully there is no limitation to the information we are able to pull and license works fine.