Mar 02 2022 02:16 AM
I'm new to sentinel, so please be forgiving. I have created a watchlist of domains to check the URL requested by the user against it. How do I get the URL requested by a user?
Mar 02 2022 02:37 AM
hi @AbiPanah
I'm going to assume that you are using the Microsoft Defender For Endpoint on your devices.
First question: are you syncing your DeviceNetworkEvents to your sentinel workspace?
You can verify this via the Microsoft 365 Defender (preview) connector.
Be warned: enabling this will increase the data usage of you sentinel workspace and result in an extra cost.
If you don't want to enable this you will have to go security.microsoft.com > advanced hunting.
There you could write a hunting rule, but that part doesn't support watchlists.
In regards to the url data. MDE doesn't ingest the complete url with all of its parameters. DeviceNetworkrequest only contain the domain that was resolved.
Mar 04 2022 03:14 PM