Find all the activities that launched a browser to open a URL from a compromised device.

Defender For Endpoint

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl startswith "http"
| project
     Timestamp,
     DeviceName,
     RemoteUrl,
     InitiatingProcessFileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath

Sentinel

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType == "BrowserLaunchedToOpenUrl"
| where RemoteUrl startswith "http"
| project
     TimeGenerated,
     DeviceName,
     RemoteUrl,
     InitiatingProcessFileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DFE - BrowserLaunchedToOpenUrlByCompromisedDevice.md

DFE - BrowserLaunchedToOpenUrlByCompromisedDevice.md

Find all the activities that launched a browser to open a URL from a compromised device.

Defender For Endpoint

Sentinel

Files

DFE - BrowserLaunchedToOpenUrlByCompromisedDevice.md

Latest commit

History

DFE - BrowserLaunchedToOpenUrlByCompromisedDevice.md

File metadata and controls

Find all the activities that launched a browser to open a URL from a compromised device.

Defender For Endpoint

Sentinel