FrankHassanabad/url-notes.txt

## url-notes.txt
## Generic links from ML back to SIEM Application

#
# Several tests runs with each and adding/removing
# them to see which ones were effective
#

Network Overview Links
---
# Network Overview By User Name (KQL Query: user.name $user.name$)
siem#/network?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:network.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Network Overview By Process Name (KQL Query: process.name: $process.name$)
siem#/network?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:network.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))


Network Detail Links
---
# Network Details (No KQL)
siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:!n,queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Network Details By Destination Port (KQL Query: destination.port: $destination.port$)
siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'destination.port%20:%20%22$destination.port$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Network Details By Process Name (KQL Query: process.name: $process.name$)
siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Network Details By Host Name (KQL Query: host.name: $host.hostname$)
siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'host.name%20:%20%22$host.hostname$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Network Details By User Name (KQL Query user.name $user.name$)
siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Network Details (KQL Query: destination.port: $destination.port$ and host.name: $host.hostname$)
siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'destination.port%20:%20%22$destination.port$%22%20and%20host.name%20:%20%22$host.hostname$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Network Details (KQL Query destination.port: $destination.port$ and host.name $host.hostname$ and user.name $user.name$)
siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'destination.port%20:%20%22$destination.port$%22%20and%20host.name%20:%20%22$host.hostname$%22%20and%20user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Network Details (KQL Query destination.port: $destination.port$ and host.name $host.hostname$ and user.name: $user.name$ and process.name: $process.name$)
siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'destination.port%20:%20%22$destination.port$%22%20and%20host.name%20:%20%22$host.hostname$%22%20and%20user.name%20:%20%22$user.name$%22%20and%20process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))


Hosts Overview Links
---
# Hosts Overview By User Name (KQL Query: user.name $user.name$)
siem#/hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Hosts Overview By Process Name (KQL Query: process.name: $process.name$)
siem#/hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))


Host Details Links
---
# Host Details By Process Name (KQL Query: process.name: $process.name$)
siem#/hosts/$host.hostname$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Host Details By User Name (KQL Query: user.name $user.name$)
siem#/hosts/$host.hostname$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

# Host Details (KQL Query: process.name: $process.name$ and user.name $user.name$)
siem#/hosts/$host.hostname$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22%20and%20user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))
	## Generic links from ML back to SIEM Application

	#
	# Several tests runs with each and adding/removing
	# them to see which ones were effective
	#

	Network Overview Links
	---
	# Network Overview By User Name (KQL Query: user.name $user.name$)
	siem#/network?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:network.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Network Overview By Process Name (KQL Query: process.name: $process.name$)
	siem#/network?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:network.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))


	Network Detail Links
	---
	# Network Details (No KQL)
	siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:!n,queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Network Details By Destination Port (KQL Query: destination.port: $destination.port$)
	siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'destination.port%20:%20%22$destination.port$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Network Details By Process Name (KQL Query: process.name: $process.name$)
	siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Network Details By Host Name (KQL Query: host.name: $host.hostname$)
	siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'host.name%20:%20%22$host.hostname$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Network Details By User Name (KQL Query user.name $user.name$)
	siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Network Details (KQL Query: destination.port: $destination.port$ and host.name: $host.hostname$)
	siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'destination.port%20:%20%22$destination.port$%22%20and%20host.name%20:%20%22$host.hostname$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Network Details (KQL Query destination.port: $destination.port$ and host.name $host.hostname$ and user.name $user.name$)
	siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'destination.port%20:%20%22$destination.port$%22%20and%20host.name%20:%20%22$host.hostname$%22%20and%20user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Network Details (KQL Query destination.port: $destination.port$ and host.name $host.hostname$ and user.name: $user.name$ and process.name: $process.name$)
	siem#/network/ip/$destination.ip$?_g=()&kqlQuery=(filterQuery:(expression:'destination.port%20:%20%22$destination.port$%22%20and%20host.name%20:%20%22$host.hostname$%22%20and%20user.name%20:%20%22$user.name$%22%20and%20process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:network.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))


	Hosts Overview Links
	---
	# Hosts Overview By User Name (KQL Query: user.name $user.name$)
	siem#/hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Hosts Overview By Process Name (KQL Query: process.name: $process.name$)
	siem#/hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))


	Host Details Links
	---
	# Host Details By Process Name (KQL Query: process.name: $process.name$)
	siem#/hosts/$host.hostname$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Host Details By User Name (KQL Query: user.name $user.name$)
	siem#/hosts/$host.hostname$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

	# Host Details (KQL Query: process.name: $process.name$ and user.name $user.name$)
	siem#/hosts/$host.hostname$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22%20and%20user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))