The URL Detection rule identifies potential adversary communication to suspicious URLs, which may indicate command and control or data exfiltration activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage threats and prevent lateral movement or data compromise.
KQL Query
let partialRemoteUrlToDetect = "microsoft.com"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents
| where Timestamp > ago(7d)
and RemoteUrl has partialRemoteUrlToDetect // Can be changed to "contains" operator as explained above
| project Timestamp, DeviceName, DeviceId, ReportId
| top 100 by Timestamp desc
id: be220c78-843b-43c5-b638-dc9d10100c75
name: URL Detection
description: |
This query finds network communication to specific URL.
Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster.
Example: RemoteUrl has "microsoft" matches "www.microsoft.com" but not "microsoftonline.com".
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
let partialRemoteUrlToDetect = "microsoft.com"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents
| where Timestamp > ago(7d)
and RemoteUrl has partialRemoteUrlToDetect // Can be changed to "contains" operator as explained above
| project Timestamp, DeviceName, DeviceId, ReportId
| top 100 by Timestamp desc
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update from Trusted Repository
Description: A system is downloading a software update from a known and trusted repository (e.g., Microsoft Update, Adobe Update Server).
Filter/Exclusion: Exclude URLs that match known update servers (e.g., update.microsoft.com, adobe.com/update). Use a regex or IP list to block these domains.
Scenario: Scheduled Job Fetching Configuration from Internal API
Description: A scheduled job (e.g., using cron or Task Scheduler) is querying an internal API to fetch configuration data.
Filter/Exclusion: Exclude traffic to internal API endpoints (e.g., internal-api.example.com) by using a domain list or IP range in the rule.
Scenario: Admin Task Using PowerShell to Download a Script from a Secure Server
Description: An administrator is using PowerShell to download a script from a secure, internal server (e.g., secure-scripts.example.com) for automation.
Filter/Exclusion: Exclude traffic to internal servers by IP or domain, or use a process name filter like powershell.exe with a whitelist of known admin tools.
Scenario: User Accessing a Public Cloud Storage Bucket for Backup Purposes
Description: A user is accessing a public cloud storage bucket (e.g., AWS S3 bucket) to retrieve backup files.
Filter/Exclusion: Exclude traffic to known cloud storage buckets by using a regex pattern or by checking the RemoteUrl against a list of allowed cloud storage domains.
Scenario: Internal Monitoring Tool Communicating with a Centralized Log Server
Description: An internal monitoring tool (e.g., Splunk, ELK Stack) is sending logs to a centralized log server.
Filter/Exclusion: Exclude traffic to log servers by using a domain list or IP range, and