let minTimeRange = ago(7d);
let outlookLinks =
DeviceEvents
| where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and
isnotempty(RemoteUrl)
| where
InitiatingProcessFileName =~ "outlook.exe"
or InitiatingProcessFileName =~ "runtimebroker.exe"
| project Timestamp , DeviceId , DeviceName , RemoteUrl, InitiatingProcessFileName,
ParsedUrl=parse_url(RemoteUrl)
| extend WasOutlookSafeLink=(tostring(
http://ParsedUrl.Host) endswith "
http://safelinks.protection.outlook.com")
| project Timestamp , DeviceId, DeviceName , WasOutlookSafeLink,
InitiatingProcessFileName,
OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["QueryParameters"]["url"])), RemoteUrl);
let alerts =
AlertInfo
| summarize (FirstDetectedActivity, Title)=argmin(Timestamp,Title) by AlertId,
| where FirstDetectedActivity > minTimeRange;
alerts
| join kind=inner (outlookLinks) on DeviceId
| where FirstDetectedActivity -
Timestamp between (0min..3min)
| summarize FirstDetectedActivity=min(FirstDetectedActivity),
AlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName,
EventTime=bin(Timestamp, 1tick), DeviceName, DeviceId , WasOutlookSafeLink
links opened from outlook.exe, followed by warning that was ignored by the user.