Query Details

Anomalous Amountof URL Click Events

Query

let startDate = ago(30d);
let endDate = now();
UrlClickEvents
| where ActionType != 'ClickAllowed'
| where TimeGenerated between (startDate .. endDate)
| make-series ClickCount=count() on TimeGenerated from startDate to endDate step 1d
| extend (anomalies, score, baseline) = series_decompose_anomalies(ClickCount)
| mv-expand TimeGenerated to typeof(datetime), ClickCount to typeof(long), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where score > 0.1
// Only If needed | where anomalies > 0
| project TimeGenerated, ClickCount, anomalies, score, baseline

About this query

Explanation

This query is designed to detect unusual URL click activities that might indicate potential cybersecurity threats, such as phishing attacks, malware downloads, command and control traffic, data exfiltration, or suspicious redirects. It uses the UrlClickEvents table in Microsoft Sentinel to analyze URL click events over the past 30 days.

Here's a simplified breakdown of what the query does:

  1. Time Frame: It examines URL click events from the past 30 days.

  2. Filter Events: It filters out events where the action type is 'ClickAllowed', focusing only on potentially suspicious clicks.

  3. Count Clicks: It counts the number of URL clicks per day within the specified time frame.

  4. Anomaly Detection: It uses a function called series_decompose_anomalies to identify anomalies in the daily click counts. This function helps to detect unusual spikes or patterns that deviate from the norm.

  5. Score Filtering: It filters the results to show only those with a score greater than 0.1, indicating a significant anomaly.

  6. Projection: Finally, it projects (or displays) the relevant information, including the timestamp, click count, anomaly score, and baseline for each detected anomaly.

The goal of this query is to help security analysts identify and investigate unusual URL click activities that could be indicative of malicious behavior, allowing them to take proactive measures to mitigate potential threats.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

UrlClickEvents

Keywords

UrlClickEvents

Operators

letagonow|where!=betweenmake-seriescountonfromtostepextendseries_decompose_anomaliesmv-expandtypeof>project

MITRE Techniques

Actions

GitHub