-
Notifications
You must be signed in to change notification settings - Fork 2
/
Hunting-ZIP-MOV.kql
21 lines (17 loc) · 909 Bytes
/
Hunting-ZIP-MOV.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Search for users who clicked on ZIP/MOV domains
UrlClickEvents
| extend domain = tostring(parse_url(Url).Host)
| where domain endswith ".zip" or domain endswith ".mov"
| project Timestamp, NetworkMessageId, Clicked_Url = Url
| join EmailEvents on NetworkMessageId
| project Timestamp, Clicked_Url, RecipientEmailAddress, SenderMailFromAddress, SenderFromAddress, Subject, AttachmentCount, UrlCount
Search for domain extensions that end with ZIP/MOV domains.
DeviceNetworkEvents
| extend domain = tostring(extract("https?://([^:/]*)(:?)(/|$)", 1, RemoteUrl))
| where domain endswith ".zip" or domain endswith ".mov"
Detect devices that are blocked from accessing ZIP/MOV domains
DeviceNetworkEvents
| where Timestamp >= ago(1h)
| extend domain = tostring(extract("https?://([^:/]*)(:?)(/|$)",1,RemoteUrl))
| where domain endswith ".zip" or domain endswith ".mov"
| where ActionType != @"ConnectionSuccess"