Edit

UrlClickEvents

  • Applies to: Microsoft Defender XDR, Microsoft Sentinel in the Microsoft Defender portal

The UrlClickEvents table in the advanced hunting schema contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps.

This advanced hunting table is populated by records from Microsoft Defender for Office 365. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read Deploy supported services.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp datetime The date and time when the user clicked on the link
Url string The full URL that was clicked on by the user
ActionType string Indicates whether the click was allowed or blocked by Safe Links or blocked due to a tenant policy, for instance, from Tenant Allow Block list
AccountUpn string User Principal Name of the account that clicked on the link
Workload string The application from which the user clicked on the link, with the values being Email, Office, and Teams
NetworkMessageId string The unique identifier for the email that contains the clicked link, generated by Microsoft 365
ThreatTypes string Verdict at the time of click, which tells whether the URL led to malware, phish or other threats
DetectionMethods string Detection technology that was used to identify the threat at the time of click
IPAddress string Public IP address of the device from which the user clicked on the link
IsClickedThrough bool Indicates whether the user was able to click through to the original URL (1) or not (0) on the Safe Links warning page using "Continue anyway" option
UrlChain string For scenarios involving redirections, it includes URLs present in the redirection chain
ReportId string The unique identifier for a click event. For clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event
AppName string The application's display name as exposed by the associated service principal
AppVersion string Version of the client application where the click occurred
SourceId string Unique identifier for the source of the click
TenantId string The Log Analytics workspace ID
Type string The name of the table
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TimeGenerated datetime The date and time when the user clicked on the link. The value is identical to Timestamp and intended for Microsoft Defender for Endpoints queries compatibility

Note

For clicks originating from email in Drafts and Sent items folders, email metadata is either not available or NetworkMessageId is assigned by default. In this case, UrlClickEvents can't be joined with Email* tables like EmailEvents, EmailPostDeliveryEvents, and others, using NetworkMessageId.

You can try this example query that uses the UrlClickEvents table to return a list of links where a user was allowed to proceed:

// Search for malicious links where user was allowed to proceed through
UrlClickEvents
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
| where ThreatTypes has "Phish"
| summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes, Timestamp

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.

  • Last updated on