UrlClickEvents
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
- Microsoft Defender XDR
The UrlClickEvents table in the advanced hunting schema contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps.
Important
This table is currently in public preview. Some information relates to a prereleased feature which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
The date and time when the user clicked on the link |
Url |
string |
The full URL that was clicked on by the user |
ActionType |
string |
Indicates whether the click was allowed or blocked by Safe Links or blocked due to a tenant policy, for instance, from Tenant Allow Block list |
AccountUpn |
string |
User Principal Name of the account that clicked on the link |
Workload |
string |
The application from which the user clicked on the link, with the values being Email, Office, and Teams |
NetworkMessageId |
string |
The unique identifier for the email that contains the clicked link, generated by Microsoft 365 |
ThreatTypes |
string |
Verdict at the time of click, which tells whether the URL led to malware, phish or other threats |
DetectionMethods |
string |
Detection technology that was used to identify the threat at the time of click |
IPAddress |
string |
Public IP address of the device from which the user clicked on the link |
IsClickedThrough |
bool |
Indicates whether the user was able to click through to the original URL (1) or not (0) |
UrlChain |
string |
For scenarios involving redirections, it includes URLs present in the redirection chain |
ReportId |
string |
The unique identifier for a click event. For clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event. |
You can try this example query that uses the UrlClickEvents table to return a list of links where a user was allowed to proceed:
// Search for malicious links where user was allowed to proceed through
UrlClickEvents
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
| where ThreatTypes has "Phish"
| summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes, Timestamp
Related articles
- Supported Microsoft Defender XDR streaming event types in event streaming API
- Proactively hunt for threats
- Safe Links in Microsoft Defender for Office 365
- Take action on advanced hunting query results
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for