Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. This query is not noisy, but most of its results are clean. It can also hserve as reference for other queries on email attachments, on browser downloads or for queries that join multiple events by time. Tags: #EmailAttachment, #WordLink, #BrowserDownload, #Phishing, #DedupFileCreate. Implementation comment #1: Matching events by time. Matching the 3 different events (savi
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | cf259a7a-801a-435a-af3f-3ef998561145 |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceEvents |
ActionType == "BrowserLaunchedToOpenUrl" |
✓ | ✗ | ? |
DeviceFileEvents |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊