KQL to query web browsing

Occasional Contributor

Hi all!

 

My customer is looking to use MDATP for web content filtering (combination of web content filtering & CNIs, powered by MCAS (unsanctioned apps) but has a requirement to investigate web browsing (in this example, for a particular device) and return a full URL path. I'm hoping we can achieve this without using a full on proxy solution but I'm struggling to get the information out of MDATP (or MTP).

 

For example I can use ;

DeviceNetworkEvents
| where DeviceName == "client-name"
| where InitiatingProcessFileName contains "msedge.exe"
| project Timestamp, RemoteUrl, RemoteIP
| sort by Timestamp desc

but RemoteURL does not show the full path. 

 

This query does show full paths, but it only appears to work for downloads;

DeviceFileEvents
| where isnotempty(FileOriginUrl) and InitiatingProcessFileName == "msedge.exe" and DeviceName == "client-name"
| project Timestamp, FileName, FileOriginUrl, FileOriginReferrerUrl, SHA1 
| sort by Timestamp desc

 I think I'm asking for functionality that doesn't exist, but just wondering if I can get a sanity check or some guidance? Thanks in advance!

0 Replies