We are excited to announce the public preview for a new data source in Microsoft 365 Defender advanced hunting—the UrlClickEvents table from Microsoft Defender for Office 365, with the changes starting to rollout today.
The UrlClickEvents table is a critical source of information that your security and threat hunting teams can leverage to identify phishing campaigns, potentially malicious clicks, and use this information to respond to threats. The table contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps (in supported desktop, mobile, and web apps).
As a quick reminder, Safe Links is a feature in Microsoft Defender for Office 365 that provides URL scanning in mail flow, and time-of-click protection from URLs in email messages, Microsoft Teams and Office 365 apps. Safe Links scanning occurs in addition to the regular anti-spam, anti-phish, and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links helps protect your users and organization from malicious links that are used in phishing and other attacks.
The UrlClickEvents table schema consists of the following to help security teams hunt and investigate threats targeting their users and organization:
|
Column name |
Description |
|
Timestamp |
The date and time when the user clicked on the link |
|
Url |
The full URL that was clicked on by the user |
|
ActionType |
Indicates whether the click was allowed or blocked by Safe Links or blocked due to a tenant policy e.g., from Tenant Allow Block list |
|
AccountUpn |
User Principal Name of the account that clicked on the link |
|
Workload |
The application from which the user clicked on the link, with the values being Email, Office and Teams |
|
NetworkMessageId |
The unique identifier for the email that contains the clicked link, generated by Microsoft 365
|
|
IPAddress
|
Public IP address of the device from which the user clicked on the link |
|
ThreatTypes
|
Verdict at the time of click, which tells whether the URL led to malware, phish or other threats |
|
DetectionMethods |
Detection technology which was used to identify the threat at the time of click |
|
IsClickedThrough |
Indicates whether the user was able to click through to the original URL or was not allowed |
|
UrlChain |
For scenarios involving redirections, it includes URLs present in the redirection chain |
|
ReportId |
This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event. |
Here are a few useful sample queries that can help your security teams get started:
// Search for malicious links where user was allowed to proceed through.
UrlClickEvents
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
| where ThreatTypes has "Phish"
| summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes, Timestamp
// For email clicks, join URLClickEvents with EmailEvents and EmailPostDeliveryEvents based on NetworkMessageId to determine clickthroughs, potential deliveries through User/Tenant overrides and detection details
UrlClickEvents
| where ThreatTypes has "Phish"
| join EmailEvents on NetworkMessageId, $left.AccountUpn == $right.RecipientEmailAddress
| project Timestamp, Url, ActionType, AccountUpn, ReportId, NetworkMessageId, ThreatTypes, IsClickedThrough, DeliveryLocation, OrgLevelAction, UserLevelAction
// Determining top clicks by URL and the corresponding Safe Links actions on each click along with user clickthrough
UrlClickEvents
| where Timestamp > ago(7d)
| extend UrlBlocked = ActionType has_any("ClickBlocked")
| extend UrlAllowed = ActionType has_any('ClickAllowed')
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict),
Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url
// Merging Defender for Office 365 click data with Endpoint data
UrlClickEvents
| extend Host = tostring(parse_url(Url).Host)
| join (DeviceNetworkEvents) on $left.Host == $right.RemoteUrl and $left.AccountUpn == $right .InitiatingProcessAccountUpn
| where (Timestamp - Timestamp1) between (0min .. 2min)
You could then join this to get the full device timeline
User clickthrough is a configurable setting in the Safe Links policies (see Do not allow users to click through to original URL, and read more over here: Safe Links settings.)
Note that for Teams and Office 365 clicks, NetworkMessageID contains a system generated GUID, and does not map to a Teams/Office 365 entity as of today. Also note that the client IP information is only available for email-based clicks, and is not available for Teams or Office 365 clicks currently. We are looking to update these for Teams by the end of this quarter. The account UPN information is available for email and Teams based clicks and is not available for a subset of Office 365 clicks currently. It should be updated by the end of this quarter.
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.
Microsoft
