How does NetworkCommunicationsEvents > RemoteURL entity get filled?

%3CLINGO-SUB%20id%3D%22lingo-sub-998187%22%20slang%3D%22en-US%22%3EHow%20does%20NetworkCommunicationsEvents%20%26gt%3B%20RemoteURL%20entity%20get%20filled%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-998187%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EHi%20team%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWith%20WDATP%20EDR%20available%20for%20Mac%20I%20wanted%20to%20investigate%20the%20RemoteURL%20field%20for%20all%20Firefox%20processes%2C%20%3C%2FSPAN%3E%3CSPAN%3Ebut%20we%20don't%20seem%20to%20be%20capturing%20that%20data.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ENetworkCommunicationEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20InitiatingProcessFileName%20%3D%3D%20%22firefox%22%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20summarize%20by%20RemoteURL%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ERemoteIP%20is%20correctly%20filled%2C%20but%20not%20RemoteURL.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EAny%20ideas%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-998187%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20ATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1001448%22%20slang%3D%22en-US%22%3ERe%3A%20How%20does%20NetworkCommunicationsEvents%20%26gt%3B%20RemoteURL%20entity%20get%20filled%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1001448%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F375190%22%20target%3D%22_blank%22%3E%40fedecharosky%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eare%20you%20sure%20the%20process%20is%20called%20%22firefox%22.%20You%20are%20doing%20a%20%3D%3D%20that%20means%20it%20has%20to%20match%20exactly.%20Do%20a%20NetworkCommunicationEvents%20without%20anything%20else%20in%20the%20query%20and%20check%20what%20you%20get%20back.%20I%20bet%20its%20more%20like%20%22firefox.exe%22%20..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3EJan%3C%2FP%3E%3CP%3E%3CSTRONG%3EBlog%3A%3C%2FSTRONG%3E%20emptyDC.com%20%7C%20%3CSTRONG%3EPodcast%3A%3C%2FSTRONG%3E%20HairlessInTheCloud.com%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421084%22%20slang%3D%22en-US%22%3ERe%3A%20How%20does%20NetworkCommunicationsEvents%20%26gt%3B%20RemoteURL%20entity%20get%20filled%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421084%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5472%22%20target%3D%22_blank%22%3E%40Jan%20Geisbauer%3C%2FA%3E%26nbsp%3BIs%20there%20a%20dictionary%20that%20describes%20the%20source%20for%20each%20fields%20value%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510348%22%20slang%3D%22en-US%22%3ERe%3A%20How%20does%20NetworkCommunicationsEvents%20%26gt%3B%20RemoteURL%20entity%20get%20filled%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510348%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F375190%22%20target%3D%22_blank%22%3E%40fedecharosky%3C%2FA%3E%26nbsp%3BHi%20%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20was%20encrypted%20URL%20it%20won't%20be%20captured%20as%20I've%20observed%20this%20issue%20before%2C%20however%20below%20query%20can%20provide%20you%20better%20context%20about%20your%20inquiry.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EDeviceNetworkEvents%0A%7C%20where%20Timestamp%20%26gt%3B%20ago(2d)%0A%7C%20where%20InitiatingProcessFileName%20has%20%22firefox%22%0A%7C%20project%20Timestamp%2C%20InitiatingProcessAccountName%2C%20DeviceName%2C%20ActionType%2C%20LocalIP%2C%20LocalPort%2C%20RemoteIP%2C%20RemotePort%2C%20RemoteUrl%2C%20InitiatingProcessFileName%2C%20InitiatingProcessCommandLine%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eoutput%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screen%20Shot%202020-07-09%20at%203.04.31%20AM.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F204257i49ABB9E2A97EAD62%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screen%20Shot%202020-07-09%20at%203.04.31%20AM.png%22%20alt%3D%22Screen%20Shot%202020-07-09%20at%203.04.31%20AM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20that%20helps%2C%20let%20me%20know%20if%20you%20want%20any%20further%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor
Hi team,
 
With WDATP EDR available for Mac I wanted to investigate the RemoteURL field for all Firefox processes, but we don't seem to be capturing that data.
 
NetworkCommunicationEvents
| where InitiatingProcessFileName == "firefox"
| summarize by RemoteURL
 
RemoteIP is correctly filled, but not RemoteURL.
 
Any ideas?
3 Replies
Highlighted

Hi @fedecharosky 

 

are you sure the process is called "firefox". You are doing a == that means it has to match exactly. Do a NetworkCommunicationEvents without anything else in the query and check what you get back. I bet its more like "firefox.exe" ..

 

Cheers,

Jan

Blog: emptyDC.com | Podcast: HairlessInTheCloud.com

Highlighted

@Jan Geisbauer Is there a dictionary that describes the source for each fields value?

Highlighted

@fedecharosky Hi ,

 

If it was encrypted URL it won't be captured as I've observed this issue before, however below query can provide you better context about your inquiry.

DeviceNetworkEvents
| where Timestamp > ago(2d)
| where InitiatingProcessFileName has "firefox"
| project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine

 

output

Screen Shot 2020-07-09 at 3.04.31 AM.png

 

I hope that helps, let me know if you want any further information.