SOLVED

URL Blocking incidents and action log

%3CLINGO-SUB%20id%3D%22lingo-sub-1361146%22%20slang%3D%22en-US%22%3EURL%20Blocking%20incidents%20and%20action%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361146%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20when%20you%20block%20a%20URL%20in%20ATP%20to%20not%20to%20generate%20an%20alert%20or%20incident.%26nbsp%3B%20For%20example%20blocking%20a%20url%20where%20people%20keep%20trying%20it%20will%20generate%20lots%20of%20alerts.%26nbsp%3B%20%26nbsp%3BIf%20i%20want%20to%20turn%20off%20the%20IOC%20it%20looks%20like%20it%20will%20turn%20off%20other%20things.%26nbsp%3B%20or%20am%20I%20missing%20something%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20I%20can't%20seem%20to%20find%20any%20log%20of%20actions%20taken%20on%20a%20single%20page%20by%20everyone.%26nbsp%3B%20%26nbsp%3BThis%20would%20be%20handy%20for%20when%20you%20want%20to%20check%20on%20file%20downloads%20you%20have%20initiated%20etc.%20Is%20it%20just%20I%20am%20missing%20something%20or%20is%20this%20a%20feature%20request%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361338%22%20slang%3D%22en-US%22%3ERe%3A%20URL%20Blocking%20incidents%20and%20action%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361338%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305905%22%20target%3D%22_blank%22%3E%40mbhmirc%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EBased%20on%20your%20question%20you%20want%20to%20detect%20mentioned%20URL%20accessed%20and%20not%20to%20block%20it.%20(Without%20generating%20alerts%20which%20cause%20noise)%3C%2FP%3E%3CP%3Efrom%20WDATP%20prospective%2C%20It%20can%20be%20achieved%20if%20you%20created%20%22detection%20rule%22%20in%20the%20Advance%20Hunting%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EUSE%20THE%20QUERY%20BELOW%20TO%20GENERATE%20DETECTION%20RULE%20(DROPBOX%20AS%20EXAMPLE%20OF%20IOC%20FOR%20TESTING)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%2F%2F%20THIS%20QUERY%20WILL%20IDENTIFY%20IF%20THERE%20WAS%20HIT%20TO%20IOC%20DOMAIN%20FOR%20LAST%207%20DAYS%20WITH%20COUNT%20OF%203%20OR%20MORE.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EDeviceNetworkEvents%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20Timestamp%20%26gt%3B%20ago(7d)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20RemoteUrl%20has%20%22dropbox%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20summarize%20(Timestamp%2C%20ReportId%2C%20DeviceName%2C%20LocalIP%2C%20LocalPort%2C%20RemoteIP%2C%20RemotePort%2C%20RemoteURL%2C%20Actiontype)%3Darg_max(Timestamp%2C%20ReportId%2C%20DeviceName%2C%20LocalIP%2C%20LocalPort%2C%20RemoteIP%2C%20RemotePort%2C%20RemoteUrl%2C%20ActionType)%2C%20count()%20by%20DeviceId%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20count_%20%26gt%3B%203%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20will%20highly%20recommend%20to%20use%20your%20company%20DNS%20solution%20or%20Web%20Proxy%20instead%20for%20this%20requirement.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20detect%20the%20way%20I%20see%20it%20you%20can%20meet%20your%20requirement%20with%20support%20of%20your%20SIEM.%3C%2FP%3E%3CP%3E1-%20If%20WDATP%20Integrated%2C%20you%20can%20easily%20create%20dashboard%2Freporting%20for%20the%20accessed%20websites.%3C%2FP%3E%3CP%3E2-%20If%20not%2C%20you%20can%20achieve%20the%20same%20with%20proxy%2Fdns%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20that%20will%20help%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365518%22%20slang%3D%22en-US%22%3ERe%3A%20URL%20Blocking%20incidents%20and%20action%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365518%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F656782%22%20target%3D%22_blank%22%3E%40_UAEx%3C%2FA%3E%26nbsp%3BHello%2C%20we%20would%20like%20to%20block%20and%20not%20generate%20the%20alert.%26nbsp%3B%20It%20causes%20a%20lot%20of%20noise%20in%20the%20dashboard%20as%20people%20keep%20trying%20a%20URL%20that%20is%20blocked.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1366184%22%20slang%3D%22en-US%22%3ERe%3A%20URL%20Blocking%20incidents%20and%20action%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1366184%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20a%20suppression%20rule%20not%20meet%20your%20needs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fmanage-alerts%23suppress-alerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fmanage-alerts%23suppress-alerts%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305905%22%20target%3D%22_blank%22%3E%40mbhmirc%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1370029%22%20slang%3D%22en-US%22%3ERe%3A%20URL%20Blocking%20incidents%20and%20action%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1370029%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557886%22%20target%3D%22_blank%22%3E%40PhilTappUK%3C%2FA%3E%26nbsp%3BIn%20this%20case%20no%2C%20if%20you%20try%20it%20the%20IOC%20is%20too%20generic.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1370034%22%20slang%3D%22en-US%22%3ERe%3A%20URL%20Blocking%20incidents%20and%20action%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1370034%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557886%22%20target%3D%22_blank%22%3E%40PhilTappUK%3C%2FA%3E%26nbsp%3BI%20was%20trying%20to%20do%20it%20from%20the%20Alert%2C%20not%20the%20page.%26nbsp%3B%20Just%20saw%20you%20can%20do%20it%20in%20a%20better%20fashion%20on%20the%20page.%26nbsp%3B%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello All,

 

Is there a way when you block a URL in ATP to not to generate an alert or incident.  For example blocking a url where people keep trying it will generate lots of alerts.   If i want to turn off the IOC it looks like it will turn off other things.  or am I missing something?

 

Also I can't seem to find any log of actions taken on a single page by everyone.   This would be handy for when you want to check on file downloads you have initiated etc. Is it just I am missing something or is this a feature request? :)

4 Replies

@mbhmirc 

 

Hi,

Based on your question you want to detect mentioned URL accessed and not to block it. (Without generating alerts which cause noise)

from WDATP prospective, It can be achieved if you created "detection rule" in the Advance Hunting

 

USE THE QUERY BELOW TO GENERATE DETECTION RULE (DROPBOX AS EXAMPLE OF IOC FOR TESTING)

// THIS QUERY WILL IDENTIFY IF THERE WAS HIT TO IOC DOMAIN FOR LAST 7 DAYS WITH COUNT OF 3 OR MORE.

 

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "dropbox"
| summarize (Timestamp, ReportId, DeviceName, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteURL, Actiontype)=arg_max(Timestamp, ReportId, DeviceName, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl, ActionType), count() by DeviceId
| where count_ > 3

 

But I will highly recommend to use your company DNS solution or Web Proxy instead for this requirement.

 

To detect the way I see it you can meet your requirement with support of your SIEM.

1- If WDATP Integrated, you can easily create dashboard/reporting for the accessed websites.

2- If not, you can achieve the same with proxy/dns logs.

 

I hope that will help you.

@_UAEx Hello, we would like to block and not generate the alert.  It causes a lot of noise in the dashboard as people keep trying a URL that is blocked.  

best response confirmed by mbhmirc (Occasional Contributor)
Solution

@PhilTappUK I was trying to do it from the Alert, not the page.  Just saw you can do it in a better fashion on the page.  Thank you.