Last active
June 7, 2022 06:03
-
-
Save alexmags/0ff30aa740c5d2f77e0509d1fd909f72 to your computer and use it in GitHub Desktop.
KQL to report on sites used with Internet Explorer. Use with Defender for Endpoint Advanced Hunting https://blog.alexmags.com/posts/internet-explorer-eol-kql/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceNetworkEvents | |
| | where Timestamp > ago(7d) | |
| | where InitiatingProcessFileName =~ 'iexplore.exe' | |
| and RemoteUrl contains ".intranet domain here" | |
| and RemoteUrl !contains "proxy url here" | |
| //and RemoteUrl !contains "other thing to filter out" | |
| // chop off http:// or https:// | |
| | extend URLwithoutProtocol=replace_string(replace_string(RemoteUrl, 'http://', ''), 'https://', '') | |
| | extend splitURL=split(URLwithoutProtocol,'/') | |
| | extend domain=tostring(splitURL[0]) | |
| | summarize by InitiatingProcessAccountUpn,domain | |
| | summarize count() by domain | |
| | order by count_ desc | |
| //| top 15 by count_ | |
| //| render columnchart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment