how to get the URL requested by the user in a browser?

%3CLINGO-SUB%20id%3D%22lingo-sub-3240391%22%20slang%3D%22en-US%22%3Ehow%20to%20get%20the%20URL%20requested%20by%20the%20user%20in%20a%20browser%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3240391%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20new%20to%20sentinel%2C%20so%20please%20be%20forgiving.%20I%20have%20created%20a%20watchlist%20of%20domains%20to%20check%20the%20URL%20requested%20by%20the%20user%20against%20it.%20How%20do%20I%20get%20the%20URL%20requested%20by%20a%20user%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3240391%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMonitoring%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Hunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3240525%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20get%20the%20URL%20requested%20by%20the%20user%20in%20a%20browser%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3240525%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1321678%22%20target%3D%22_blank%22%3E%40AbiPanah%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI'm%20going%20to%20assume%20that%20you%20are%20using%20the%20Microsoft%20Defender%20For%20Endpoint%20on%20your%20devices.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20question%3A%20are%20you%20syncing%20your%20DeviceNetworkEvents%20to%20your%20sentinel%20workspace%3F%26nbsp%3B%3CBR%20%2F%3EYou%20can%20verify%20this%20via%20the%20Microsoft%20365%20Defender%20(preview)%20connector.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22LouisMastelinck_0-1646216998919.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F352334i5F627330B2E2E425%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22LouisMastelinck_0-1646216998919.png%22%20alt%3D%22LouisMastelinck_0-1646216998919.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBe%20warned%3A%20enabling%20this%20will%20increase%20the%20data%20usage%20of%20you%20sentinel%20workspace%20and%20result%20in%20an%20extra%20cost.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20don't%20want%20to%20enable%20this%20you%20will%20have%20to%20go%20security.microsoft.com%20%26gt%3B%20advanced%20hunting.%26nbsp%3B%3CBR%20%2F%3EThere%20you%20could%20write%20a%20hunting%20rule%2C%20but%20that%20part%20doesn't%20support%20watchlists.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20regards%20to%20the%20url%20data.%20MDE%20doesn't%20ingest%20the%20complete%20url%20with%20all%20of%20its%20parameters.%20DeviceNetworkrequest%20only%20contain%20the%20domain%20that%20was%20resolved.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I'm new to sentinel, so please be forgiving. I have created a watchlist of domains to check the URL requested by the user against it. How do I get the URL requested by a user? 

2 Replies

hi @AbiPanah 


I'm going to assume that you are using the Microsoft Defender For Endpoint on your devices. 

 

First question: are you syncing your DeviceNetworkEvents to your sentinel workspace? 
You can verify this via the Microsoft 365 Defender (preview) connector. 

LouisMastelinck_0-1646216998919.png

Be warned: enabling this will increase the data usage of you sentinel workspace and result in an extra cost. 

 

If you don't want to enable this you will have to go security.microsoft.com > advanced hunting. 
There you could write a hunting rule, but that part doesn't support watchlists. 

In regards to the url data. MDE doesn't ingest the complete url with all of its parameters. DeviceNetworkrequest only contain the domain that was resolved. 



 

Also to add ontop of this, and not knowing your set up, you could also link this with your firewall logs if you have connected them.

Link below for basic reference.

https://azurecloudai.blog/2021/03/15/how-to-azure-sentinel-watchlist-kql-basics/