This repository has been archived by the owner on Nov 16, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 546
/
Copy pathOpen email link.txt
71 lines (70 loc) · 5.37 KB
/
Open email link.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
// Query for links opened from mail apps – if a detection occurred right afterwards.
// As there are many links opened from mails, to have a successful hunt we should have some filter or join with some other signal,
// such as suspicious processes, network connections, etc.
// Therefore, in this example, we query for alerts that might be related to links sent via email.
// This could be indicative of a phishing or spear-phishing attacks.
// Tags: #EmailLink, #Phishing, #GetNearbyAlerts
// Explaining the underlying data:
// This query uses the BrowserLaunchedToOpenUrl event, that includes clicks on http:// or https:// links (clicks outside of browsers), or on .lnk files
// For this event, RemoteUrl contains the opened URL.
let minTimeRange = ago(7d);
let outlookLinks =
DeviceEvents
// Filter on click on links from outlook
| where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl)
| where
// outlook.exe is the Office Outlook app
InitiatingProcessFileName =~ "outlook.exe"
// RuntimeBroker.exe opens links for all apps from the Windows store, including the Windows Mail app (HxOutlook.exe).
// However, it will also include some links opened from other apps.
or InitiatingProcessFileName =~ "runtimebroker.exe"
| project Timestamp, DeviceId, DeviceName, RemoteUrl, InitiatingProcessFileName, ParsedUrl=parse_url(RemoteUrl)
// When applicable, parse the link sent via email from the clicked O365 ATP SafeLink
| extend WasOutlookSafeLink=(tostring(ParsedUrl.Host) endswith "safelinks.protection.outlook.com")
| project Timestamp, DeviceId, DeviceName, WasOutlookSafeLink, InitiatingProcessFileName,
OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["Query Parameters"]["url"])), RemoteUrl);
let alerts =
DeviceAlertEvents
| summarize (FirstDetectedActivity, Title)=argmin(Timestamp, Title) by AlertId, DeviceId
// Filter alerts that include events from before the queried time period
| where FirstDetectedActivity > minTimeRange;
// Join the two together - looking for alerts that are right after an abnormal network logon
alerts | join kind=inner (outlookLinks) on DeviceId | where FirstDetectedActivity - Timestamp between (0min..3min)
// If there are multiple alerts close to a single click-on-link, aggregate them together to a single row
// Note: bin(Timestamp, 1tick) is used because when summarizing by a datetime field, the default "bin" used is 1-hour.
| summarize FirstDetectedActivity=min(FirstDetectedActivity), AlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName, Timestamp=bin(Timestamp, 1tick), DeviceName, DeviceId, WasOutlookSafeLink
// Query for links opened from mail apps – if a detection occurred right afterwards. - MTP Schema
// As there are many links opened from mails, to have a successful hunt we should have some filter or join with some other signal,
// such as suspicious processes, network connections, etc.
// Therefore, in this example, we query for alerts that might be related to links sent via email.
// This could be indicative of a phishing or spear-phishing attacks.
// Tags: #EmailLink, #Phishing, #GetNearbyAlerts
// Explaining the underlying data:
// This query uses the BrowserLaunchedToOpenUrl event, that includes clicks on http:// or https:// links (clicks outside of browsers), or on .lnk files
// For this event, RemoteUrl contains the opened URL.
let minTimeRange = ago(7d);
let outlookLinks =
DeviceEvents
// Filter on click on links from outlook
| where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl)
| where
// outlook.exe is the Office Outlook app
InitiatingProcessFileName =~ "outlook.exe"
// RuntimeBroker.exe opens links for all apps from the Windows store, including the Windows Mail app (HxOutlook.exe).
// However, it will also include some links opened from other apps.
or InitiatingProcessFileName =~ "runtimebroker.exe"
| project Timestamp, DeviceId, DeviceName, RemoteUrl, InitiatingProcessFileName, ParsedUrl=parse_url(RemoteUrl)
// When applicable, parse the link sent via email from the clicked O365 ATP SafeLink
| extend WasOutlookSafeLink=(tostring(ParsedUrl.Host) endswith "safelinks.protection.outlook.com")
| project Timestamp, DeviceId, DeviceName, WasOutlookSafeLink, InitiatingProcessFileName,
OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["Query Parameters"]["url"])), RemoteUrl);
let alerts =
AlertInfo | join AlertEvidence on AlertId
| summarize (FirstDetectedActivity, Title)=argmin(Timestamp, Title) by AlertId, DeviceId
// Filter alerts that include events from before the queried time period
| where FirstDetectedActivity > minTimeRange;
// Join the two together - looking for alerts that are right after an abnormal network logon
alerts | join kind=inner (outlookLinks) on DeviceId | where FirstDetectedActivity - Timestamp between (0min..3min)
// If there are multiple alerts close to a single click-on-link, aggregate them together to a single row
// Note: bin(Timestamp, 1tick) is used because when summarizing by a datetime field, the default "bin" used is 1-hour.
| summarize FirstDetectedActivity=min(FirstDetectedActivity), AlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName, Timestamp=bin(Timestamp, 1tick), DeviceName, DeviceId, WasOutlookSafeLink