Queries for the UrlClickEvents table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Links where a user was allowed to proceed

Malicious links where user was allowed to proceed through.

UrlClickEvents
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
| where ThreatTypes has "Phish"
| summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes, Timestamp