Defender for Office 365 - Blocked URLs
MDO Blocked UR Ls
Query
UrlClickEvents
| where TimeGenerated > ago(90d)
| where ActionType == "ClickBlocked"
| where DetectionMethods has_any ("URL")
| extend Domain = extract(@"[^.]+\.[^.]+$",0, extract(@"^(?:https?://)?([^/]+)",1,Url))
| extend TLD = tostring(split(extract(@"\.([a-zA-Z]{2,}|[a-zA-Z]{2}\.[a-zA-Z]{2})$",0,Domain,typeof(string)),".")[1])
| project TimeGenerated, TLD, Domain,IPAddress, ThreatTypes,DetectionMethods, IsClickedThrough,UrlAbout this query
Defender for Office 365 - Blocked URLs
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ |
| T1566.002 | Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ |
Description
Use the below querys to find the domains of URLs that were blocked
Defender XDR
EmailEvents
| where DeliveryAction == "Blocked"
| where DetectionMethods has_any ("URL","domain")
| join EmailUrlInfo
on $left.NetworkMessageId == $right.NetworkMessageId
| extend Domain = extract(@"[^.]+\.[^.]+$",0, extract(@"^(?:https?://)?([^/]+)",1,Url))
| extend TLD = tostring(split(extract(@"\.([a-zA-Z]{2,}|[a-zA-Z]{2}\.[a-zA-Z]{2})$",0,Domain,typeof(string)),".")[1])
| project TimeGenerated,TLD, Domain, ThreatTypes, ThreatNames, DetectionMethods, SenderFromDomain, Url
Explanation
This query is designed to identify and list domains from URLs that were blocked by Microsoft Defender for Office 365 due to potential phishing threats. It focuses on two specific MITRE ATT&CK techniques related to phishing.
Here's a simplified breakdown of what each part of the query does:
-
UrlClickEvents Query:
- Time Frame: Looks at URL click events from the last 90 days.
- Action Type: Filters for events where the action taken was "ClickBlocked," meaning the URL was blocked when someone tried to click it.
- Detection Method: Ensures that the detection method involved URLs.
- Domain Extraction: Extracts the domain from the URL, focusing on the main part of the domain (e.g., "example.com").
- TLD Extraction: Extracts the top-level domain (TLD) from the domain (e.g., "com").
- Output: Displays the time the event was generated, the TLD, the domain, IP address, threat types, detection methods, whether the URL was clicked through, and the URL itself.
-
EmailEvents Query:
- Delivery Action: Filters for email events where the delivery action was "Blocked," indicating the email was blocked.
- Detection Method: Ensures that the detection method involved URLs or domains.
- Join with EmailUrlInfo: Combines data from email events with URL information based on a common identifier (NetworkMessageId).
- Domain and TLD Extraction: Similar to the first query, it extracts the domain and TLD from the URL.
- Output: Displays the time the event was generated, the TLD, the domain, threat types, threat names, detection methods, the sender's domain, and the URL.
Overall, these queries help security analysts identify potentially malicious domains and URLs that were blocked, providing insights into phishing attempts and enhancing threat detection and response efforts.
