Nov 10 2019 01:57 AM
Nov 12 2019 12:32 AM
are you sure the process is called "firefox". You are doing a == that means it has to match exactly. Do a NetworkCommunicationEvents without anything else in the query and check what you get back. I bet its more like "firefox.exe" ..
Cheers,
Jan
Blog: emptyDC.com | Podcast: HairlessInTheCloud.com
May 27 2020 09:07 AM
@Jan Geisbauer Is there a dictionary that describes the source for each fields value?
Jul 08 2020 04:05 PM
@fedecharosky Hi ,
If it was encrypted URL it won't be captured as I've observed this issue before, however below query can provide you better context about your inquiry.
DeviceNetworkEvents
| where Timestamp > ago(2d)
| where InitiatingProcessFileName has "firefox"
| project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
output
I hope that helps, let me know if you want any further information.