KQL to query web browsing

%3CLINGO-SUB%20id%3D%22lingo-sub-1632200%22%20slang%3D%22en-US%22%3EKQL%20to%20query%20web%20browsing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1632200%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20customer%20is%20looking%20to%20use%20MDATP%20for%20web%20content%20filtering%20(combination%20of%20web%20content%20filtering%20%26amp%3B%20CNIs%2C%20powered%20by%20MCAS%20(unsanctioned%20apps)%20but%20has%20a%20requirement%20to%20investigate%20web%20browsing%20(in%20this%20example%2C%20for%20a%20particular%20device)%20and%20return%20a%20full%20URL%20path.%20I'm%20hoping%20we%20can%20achieve%20this%20without%20using%20a%20full%20on%20proxy%20solution%20but%20I'm%20struggling%20to%20get%20the%20information%20out%20of%20MDATP%20(or%20MTP).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%20I%20can%20use%20%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EDeviceNetworkEvents%0A%7C%20where%20DeviceName%20%3D%3D%20%22client-name%22%0A%7C%20where%20InitiatingProcessFileName%20contains%20%22msedge.exe%22%0A%7C%20project%20Timestamp%2C%20RemoteUrl%2C%20RemoteIP%0A%7C%20sort%20by%20Timestamp%20desc%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3Ebut%20RemoteURL%20does%20not%20show%20the%20full%20path.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20query%20does%20show%20full%20paths%2C%20but%20it%20only%20appears%20to%20work%20for%20downloads%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EDeviceFileEvents%0A%7C%20where%20isnotempty(FileOriginUrl)%20and%20InitiatingProcessFileName%20%3D%3D%20%22msedge.exe%22%20and%20DeviceName%20%3D%3D%20%22client-name%22%0A%7C%20project%20Timestamp%2C%20FileName%2C%20FileOriginUrl%2C%20FileOriginReferrerUrl%2C%20SHA1%20%0A%7C%20sort%20by%20Timestamp%20desc%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3BI%20think%20I'm%20asking%20for%20functionality%20that%20doesn't%20exist%2C%20but%20just%20wondering%20if%20I%20can%20get%20a%20sanity%20check%20or%20some%20guidance%3F%20Thanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi all!

 

My customer is looking to use MDATP for web content filtering (combination of web content filtering & CNIs, powered by MCAS (unsanctioned apps) but has a requirement to investigate web browsing (in this example, for a particular device) and return a full URL path. I'm hoping we can achieve this without using a full on proxy solution but I'm struggling to get the information out of MDATP (or MTP).

 

For example I can use ;

DeviceNetworkEvents
| where DeviceName == "client-name"
| where InitiatingProcessFileName contains "msedge.exe"
| project Timestamp, RemoteUrl, RemoteIP
| sort by Timestamp desc

but RemoteURL does not show the full path. 

 

This query does show full paths, but it only appears to work for downloads;

DeviceFileEvents
| where isnotempty(FileOriginUrl) and InitiatingProcessFileName == "msedge.exe" and DeviceName == "client-name"
| project Timestamp, FileName, FileOriginUrl, FileOriginReferrerUrl, SHA1 
| sort by Timestamp desc

 I think I'm asking for functionality that doesn't exist, but just wondering if I can get a sanity check or some guidance? Thanks in advance!

0 Replies