Safe Link UrlClick events ?

AdamBudzinskiAZA-0329 91 Reputation points
2023-09-11T18:25:31.4266667+00:00

hi,

can't set the tag to Defender for Endpoint or Defender 365 !

Question. Having trouble to understand telemetry from Safe Links clicks from e-mail messages.

User's image

User's image

Looking at https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-urlclickevents-table?view=o365-worldwide

User's image

The click was allowed as per the above screen shot Action type = Click allowed . What does the even mean? It was not blocked by Safe Link ?

User's image

If it was not blocked what’s then the relevance of Is clicked through = false ?

This DOES not make any sense to me ! I don't see the url as rewriten. The click was allowed so what click trough to what original URL ? ?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,351 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,856 Reputation points Microsoft Employee
    2023-09-12T12:22:48.7433333+00:00

    Maybe this link will help. This is more of a Defender for Office topic but it sounds like pass through may be allowed in some situations depending on the policy settings. This may be more of an audit if not blocked.

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.