-
Notifications
You must be signed in to change notification settings - Fork 542
Web Traffic data hunt #111
Comments
Try this. // This query finds all network communication for a specific userID and Date Range and displays the Process communicating |
I am struggling to create a query to match https://urlhaus.abuse.ch/downloads/text/ or https://urlhaus.abuse.ch/downloads/text_recent/ Can you help ? |
Hi JakKAaj, You can use this example: EmailAttachmentInfo Using externaldata operator you can use list from external source in your query. |
Good morning all,
...once you have that, we should probably try to parse out the DeviceNetworkEvents in the same manner for matching:
...and now put them together with some joins to perform comparisons. To achieve this, you'll need to use a function such as mvexpand followed by a comparison operator.
Let me know if that works for you |
Hi,
Thanks, I can see the gap now. I have run a test on one of the URLs from urlhaus list but there was no match. I can’t find where is the problem.
From: Michael Melone <notifications@github.com>
Sent: Monday, November 16, 2020 5:31 PM
To: microsoft/Microsoft-365-Defender-Hunting-Queries <Microsoft-365-Defender-Hunting-Queries@noreply.github.com>
Cc: Michal Kalisz - QIAGEN <Michal.Kalisz@qiagen.com>; Comment <comment@noreply.github.com>
Subject: Re: [microsoft/Microsoft-365-Defender-Hunting-Queries] Web Traffic data hunt (#111)
Caution: This email originated from outside QIAGEN.
Good morning all,
Here's how I would likely approach the issue. First, parse the URLs from urlhaus into their individual parts using the parse_url() function:
(externaldata(payload_url: string ) [@"https://urlhaus.abuse.ch/downloads/text_recent/"]
with (format="txt"))
| extend ParsedUrl = parse_url(payload_url)
| evaluate bag_unpack(ParsedUrl)
| extend Port = case(isnotempty(Port), Port, Scheme == 'http', "80", Scheme == 'https', "443", Port)
...once you have that, we should probably try to parse out the DeviceNetworkEvents in the same manner for matching:
DeviceNetworkEvents
| take 100
| extend ParsedUrl = iff(RemoteUrl matches regex @'^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$', todynamic(strcat('{"Host":"', tolower(RemoteUrl), '"}')), parse_url(RemoteUrl))
| evaluate bag_unpack(ParsedUrl)
...and now put them together with some joins to perform comparisons. To achieve this, you'll need to use a function such as mvexpand followed by a comparison operator.
Also, as a former incident responder, I would probably be a bit more paranoid than most and look for simple IP matches as well as FQDN matches. Here we go:
let urlhausurls = toscalar((externaldata(payload_url: string ) [@"https://urlhaus.abuse.ch/downloads/text_recent/"]
with (format="txt"))
| extend ParsedUrl = parse_url(payload_url)
| evaluate bag_unpack(ParsedUrl)
| extend Port = case(isnotempty(Port), Port, Scheme == 'http', "80", Scheme == 'https', "443", Port)
| extend Packed = pack_all()
| summarize makelist(Packed));
DeviceNetworkEvents
| take 100
| extend ParsedUrl = iff(RemoteUrl matches regex @'^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$', todynamic(strcat('{"Host":"', tolower(RemoteUrl), '"}')), parse_url(RemoteUrl))
| evaluate bag_unpack(ParsedUrl)
| extend UrlHaus = urlhausurls
| mvexpand UrlHaus
| evaluate bag_unpack(UrlHaus, 'UrlHaus_')
| extend HostAndPortMatch = ((RemoteIP == UrlHaus_Host or Host == UrlHaus_Host) and RemotePort == UrlHaus_Port), UriStemMatch = (isnotempty(UrlHaus_Path) and Path == UrlHaus_Path)
| where HostAndPortMatch == true
Let me know if that works for you
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fissues%2F111%23issuecomment-728173650&data=04%7C01%7Cmichal.kalisz%40qiagen.com%7C4cd79a789e6345f7ee5008d88a4d061f%7Cdc81d03c239c4fd5a96f18a58773c86c%7C0%7C0%7C637411410714879099%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YTZY4NjtrlcG8I0HFEh6OG6hkL8fG0Q7MxXeRP%2FFfSw%3D&reserved=0>, or unsubscribe<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FANCNGCKTAP7FXNXJ6GJEVATSQFHUXANCNFSM4MIROLTQ&data=04%7C01%7Cmichal.kalisz%40qiagen.com%7C4cd79a789e6345f7ee5008d88a4d061f%7Cdc81d03c239c4fd5a96f18a58773c86c%7C0%7C0%7C637411410714879099%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=TK%2Fg6rGbwY7ZjfUVZXWs1rrcrqMxNL1Y7T3ATkyKm0I%3D&reserved=0>.
|
One slight modification - using case insensitive equals
|
Not sure why but the query time out in WDATP. |
Trying to write a script that will show me all internet/web traffic data for a specific person/machine for a specific amount of a time range.
Example: I want to see what Joe Smith did for the past 30 days with web searching.
Can't seem to find anything that will fit this nor can I seem to write a usable script in Defender.
Can anyone help? Please :)
The text was updated successfully, but these errors were encountered: