Risky Sign In After Url Click To Monty Security Go Phish IP
Query
//This Query Detects Risky Sign ins after a Click to a Phishing Website listed on Montysecurity GoPhish List
let MontyGoPhish= externaldata (MontyGoPhishIP: string) ["https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/GoPhish%20IPs.txt"];
UrlClickEvents
| join kind=inner MontyGoPhish on $left.IPAddress == $right.MontyGoPhishIP
| project Timestamp, AccountUpn, Url
| join kind=inner AADSignInEventsBeta on $left.AccountUpn == $right.AccountUpn
| where Timestamp > Timestamp1
| where isnotempty(RiskLevelDuringSignIn)Explanation
This query is designed to identify potentially risky sign-ins that occur after a user clicks on a phishing website. Here's a simple breakdown of what it does:
-
Data Source: It starts by loading a list of IP addresses associated with phishing websites from an external source called "Montysecurity GoPhish List."
-
Event Matching: It looks at URL click events and checks if any of the IP addresses from the phishing list match the IP addresses in these events.
-
Data Projection: It selects specific details from these matched events, namely the timestamp of the event, the user's account name (AccountUpn), and the URL that was clicked.
-
Sign-In Event Correlation: It then correlates these URL click events with Azure Active Directory (AAD) sign-in events for the same user account.
-
Time Filtering: It filters the results to only include sign-in events that happened after the URL click event.
-
Risk Assessment: Finally, it checks if there is any risk level associated with these sign-in events, indicating potentially risky behavior.
In summary, this query identifies users who clicked on known phishing links and then had potentially risky sign-ins, helping to flag possible security incidents.
Details

Benjamin Zulliger
Released: November 10, 2024
Tables
Keywords
Operators