Find all the activities that launched a browser to open a URL from a compromised device.
MDE Browser Launched To Open Url By Compromised Device
Query
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl startswith "http"
| project
TimeGenerated,
DeviceName,
RemoteUrl,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPathAbout this query
Find all the activities that launched a browser to open a URL from a compromised device.
Defender XDR
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl startswith "http"
| project
Timestamp,
DeviceName,
RemoteUrl,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPath
Sentinel
Explanation
This query is designed to identify and list all instances where a browser was launched to open a URL from a specific compromised device, within a specified time frame. Here's a simple breakdown of what each part of the query does:
-
Compromised Device: The query focuses on a device identified as compromised, specifically "laptop.contoso.com".
-
Search Window: It looks at events that occurred within the last 48 hours. This time frame can be adjusted as needed.
-
Data Source: The query pulls data from the
DeviceEventstable. -
Filters Applied:
- It only considers events where the action was a browser being launched to open a URL (
ActionType == "BrowserLaunchedToOpenUrl"). - It ensures the URL starts with "http", indicating a web address.
- It only considers events where the action was a browser being launched to open a URL (
-
Output: The query extracts and displays the following details for each relevant event:
- The time the event occurred (
TimestamporTimeGenerated). - The name of the device (
DeviceName). - The URL that was opened (
RemoteUrl). - Information about the process that initiated the browser launch, including:
- The file name of the initiating process (
InitiatingProcessFileName). - The command line used to start the process (
InitiatingProcessCommandLine). - The folder path of the initiating process (
InitiatingProcessFolderPath).
- The file name of the initiating process (
- The time the event occurred (
The query is structured similarly for both Defender XDR and Sentinel, with minor differences in the timestamp field name (Timestamp vs. TimeGenerated).
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators