EmailUrlInfo
Applies to:
- Microsoft Defender XDR
The EmailUrlInfo table in the advanced hunting schema contains information about URLs on emails and attachments processed by Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
NetworkMessageId |
string |
Unique identifier for the email, generated by Microsoft 365 |
Url |
string |
Full URL in the email subject, body, or attachment |
UrlDomain |
string |
Domain name or host name of the URL |
UrlLocation |
string |
Indicates which part of the email the URL is located |
ReportId |
string |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
Tip
To hunt for attacks based on URLs embedded within QR codes, users can leverage the UrlLocation column having "QRCode" as an identifier for URLs extracted from QR codes.
Related topics
- Advanced hunting overview
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.