KQL to query web browsing

Brass Contributor

Hi all!

 

My customer is looking to use MDATP for web content filtering (combination of web content filtering & CNIs, powered by MCAS (unsanctioned apps) but has a requirement to investigate web browsing (in this example, for a particular device) and return a full URL path. I'm hoping we can achieve this without using a full on proxy solution but I'm struggling to get the information out of MDATP (or MTP).

 

For example I can use ;

DeviceNetworkEvents
| where DeviceName == "client-name"
| where InitiatingProcessFileName contains "msedge.exe"
| project Timestamp, RemoteUrl, RemoteIP
| sort by Timestamp desc

but RemoteURL does not show the full path. 

 

This query does show full paths, but it only appears to work for downloads;

DeviceFileEvents
| where isnotempty(FileOriginUrl) and InitiatingProcessFileName == "msedge.exe" and DeviceName == "client-name"
| project Timestamp, FileName, FileOriginUrl, FileOriginReferrerUrl, SHA1 
| sort by Timestamp desc

 I think I'm asking for functionality that doesn't exist, but just wondering if I can get a sanity check or some guidance? Thanks in advance!

2 Replies
Hi,
I'm looking for the same solution using KQL in Microsoft Defender for Endpoint (MDE)/Azure Sentinel. With the `DeviceNetworkEvents` table, I can retrieve all the history, but the `RemoteUrl` does not show the full path and I get all the URLs, including ads, trackers, and other unwanted URLs.
Any advise for that ?!
Thank you.
Hi,
Same issue for me !
It means I cannot match traffic from the workstation with TI source (like Phishtank or others)
It would be nice to get feedback from MS teams...

Regards,

HA