User Principal Name of the account that clicked on the link.
ActionType
string
Indicates whether the click was allowed or blocked by 'safe links' or blocked due to a tenant policy e.g., from tenant allow block list.
_BilledSize
real
The record size in bytes
DetectionMethods
string
Detection technology which was used to identify the threat at the time of click.
IPAddress
string
Public IP address of the device from which the user clicked on the link.
_IsBillable
string
Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
IsClickedThrough
bool
Indicates whether the user was able to click through to the original URL or was not allowed.
NetworkMessageId
string
The unique identifier for the email that contains the clicked link, generated by Microsoft 365.
ReportId
string
This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.
SourceSystem
string
The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId
string
The Log Analytics workspace ID
ThreatTypes
string
Verdict at the time of click, which tells whether the URL led to malware, phish or other threats.
TimeGenerated
datetime
The date and time when the user clicked on the link. The value is identical to TimeGenerated and intended for Microsoft Defender for Endpoints queries compatibility.
Type
string
The name of the table
Url
string
The full URL that was clicked on by the user.
UrlChain
string
For scenarios involving redirections, it includes URLs present in the redirection chain.
Workload
string
The application from which the user clicked on the link, with the values being Email, Office and Teams.