cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more

KQL to query web browsing

r0bu
Brass Contributor

‎Sep 03 2020 08:21 AM

‎Sep 03 2020 08:21 AM

KQL to query web browsing

Hi all!

 

My customer is looking to use MDATP for web content filtering (combination of web content filtering & CNIs, powered by MCAS (unsanctioned apps) but has a requirement to investigate web browsing (in this example, for a particular device) and return a full URL path. I'm hoping we can achieve this without using a full on proxy solution but I'm struggling to get the information out of MDATP (or MTP).

 

For example I can use ;

DeviceNetworkEvents
| where DeviceName == "client-name"
| where InitiatingProcessFileName contains "msedge.exe"
| project Timestamp, RemoteUrl, RemoteIP
| sort by Timestamp desc

but RemoteURL does not show the full path. 

 

This query does show full paths, but it only appears to work for downloads;

DeviceFileEvents
| where isnotempty(FileOriginUrl) and InitiatingProcessFileName == "msedge.exe" and DeviceName == "client-name"
| project Timestamp, FileName, FileOriginUrl, FileOriginReferrerUrl, SHA1 
| sort by Timestamp desc

 I think I'm asking for functionality that doesn't exist, but just wondering if I can get a sanity check or some guidance? Thanks in advance!

4,934 Views
0 Likes
0 Replies
Reply
0 Replies