Hi @fedecharosky 

are you sure the process is called "firefox". You are doing a == that means it has to match exactly. Do a NetworkCommunicationEvents without anything else in the query and check what you get back. I bet its more like "firefox.exe" ..

Cheers,

Jan

Blog: emptyDC.com | Podcast: HairlessInTheCloud.com

@fedecharosky Hi ,

If it was encrypted URL it won't be captured as I've observed this issue before, however below query can provide you better context about your inquiry.

DeviceNetworkEvents
| where Timestamp > ago(2d)
| where InitiatingProcessFileName has "firefox"
| project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine

output

I hope that helps, let me know if you want any further information.