Direct Link to Threat Explorer Results

New Contributor

Dear community,

 

I'm working in Cyber Security Operations Center. In our daily work we need to investigate O365 alerts. What we currently just have is a link to the Azure Security Portal (AppSecurityPortal), but there are no detailed information about a detected phishing are malware mail like. Therefore we would like to use a direct link to https://protection.office.com instead. So far I know from the raw date on the AppSecurityPortal is that a direct link to specific message is possible via

 

"EventDeepLink": "https://protection.office.com/?hash=/threatexplorer?messageParams=<id>,2020-04-29T00:00:00,2020-04-2..."

 

But what we use in investigation is for example a direct link to get the result for e.g. all mails with a specific subject or from a specific sender. I know we can do it manually via the website, but a direct link placed in our internal ticketing system would help our analysts to speed up the investigation.

 

Maybe you know how i can handover parameters in URL in order to start directly a search like this.

 

In addition we would like to know the same for the CloudAppSecurityPortal Activity Log:

we know that we can directly jump to all activities related to a specific IP with the following:

https://<companyname>.portal.cloudappsecurity.com/#/audits?ip.address=eq(<ip>,)

 

But we would also like to know here how to search directly for specific user or mail address.

 

Many thanks for your help!

 

Regards

Immanuel Peschen

3 Replies

@JanBakkerOrphaned Thanks for your reply. I will give it a chance to use. Hopefully there is no limitation to the information we are able to pull and license works fine.

@immanuelpeschenthyssenkruppcom 

 

I'm trying to do similar work and the Microsoft Graph API hooks don't expose all of the details of the phishing email. You can get the alert's details, you can get who sent it and who it was sent to, but you can't get the subject without clicking through the portal.

 

I'm trying any way possible to get the subject but am drawing a blank.

www.000webhost.com