-
Notifications
You must be signed in to change notification settings - Fork 0
/
UrlClickEvents.me
41 lines (29 loc) · 3.63 KB
/
UrlClickEvents.me
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
UrlClickEvents Table in Microsoft Sentinel for Threat Hunting and Anomaly Detection
In the dynamic world of cybersecurity, proactive threat hunting and anomaly detection are key to staying ahead of potential threats. One powerful tool that aids in this process is the **UrlClickEvents table in Microsoft Sentinel**. This table can help us hunt for several cybersecurity attack vectors related to URL click activities. Let's delve into some examples:
1. *Phishing Attacks* - T1556: Phishing attacks often involve sending emails with malicious URLs to victims. If a user clicks on the URL, they might be taken to a fake login page where their credentials can be stolen. The UrlClickEvents table can help you identify unusual URL click activities that might indicate a phishing attack.
2. *Malware Downloads*: Malicious URLs can also lead to websites that automatically download malware onto a user’s device. By analyzing the UrlClickEvents table, you can potentially identify URLs that are associated with malware downloads.
3. *Command and Control (C2) Traffic*: - TA0011 In some cases, malware on a compromised device can communicate with a command and control server via HTTP/HTTPS requests. These requests can sometimes be identified by analyzing URL click events.
4. *Data Exfiltration*: - TA0010 In some advanced attacks, data exfiltration might occur through HTTP/HTTPS requests to specific URLs. The UrlClickEvents table can help you identify suspicious URL click activities that might indicate data exfiltration.
5. *Suspicious Redirects*: Attackers might use URL redirects to hide malicious activities. By analyzing the UrlClickEvents table, you can potentially identify suspicious redirect activities.
Now, let's talk about how we can use the UrlClickEvents table in Microsoft Sentinel for threat hunting and anomaly detection. For this, we can leverage the built-in anomaly detection capabilities of Azure Log Analytics. Here’s a high-level process:
1. Log into Azure Portal: Navigate to your Microsoft Sentinel workspace.
2. Open Log Analytics: In the Microsoft Sentinel workspace, open Log Analytics.
3. Write a KQL Query: Write a Kusto Query Language (KQL) query to analyze the UrlClickEvents table.
We can use the `series_decompose_anomalies()` function to detect anomalies in your data. Here’s an example:
```kql
let startDate = ago(30d);
let endDate = now();
UrlClickEvents
| where ActionType != 'ClickAllowed'
| where TimeGenerated between (startDate .. endDate)
| make-series ClickCount=count() on TimeGenerated from startDate to endDate step 1d
| extend (anomalies, score, baseline) = series_decompose_anomalies(ClickCount)
| mv-expand TimeGenerated to typeof(datetime), ClickCount to typeof(long), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where score > 0.1
// Only If needed | where anomalies > 0
| project TimeGenerated, ClickCount, anomalies, score, baseline
```
This query counts the number of URL click events per day (`ClickCount=count()`), decomposes the series to find anomalies (`series_decompose_anomalies(ClickCount)`), and then filters for the rows where an anomaly was detected (`where anomalies > 0`).
4. Run the Query: Execute the query to find anomalies in the UrlClickEvents table.
5. Investigate Anomalies: Investigate the anomalies by looking at the surrounding events, the involved entities, and any related alerts or incidents.
By leveraging the power of Microsoft Sentinel and Azure Log Analytics, we can proactively hunt for potential threats and detect anomalies before they cause significant damage. Remember, in the world of cybersecurity, knowledge is power, and staying informed is our best defense. Stay safe.