Blog Post

Microsoft Defender for Office 365 Blog
3 MIN READ

Introducing the UrlClickEvents table in advanced hunting with Microsoft Defender for Office 365

VipulPandey's avatar
VipulPandey
Icon for Microsoft rankMicrosoft
Apr 27, 2022
We are excited to announce the public preview for a new data source in Microsoft 365 Defender advanced hunting—the UrlClickEvents table from Microsoft Defender for Office 365, with the changes starti...
Updated Apr 27, 2022
Version 2.0
bec
hunting
microsoft 365 defender
phishing
gadgetz's avatar
gadgetz
Copper Contributor
Feb 04, 2023

GCC Schema


Alerts
------
AlertInfo (replaces DeviceAlertEvents)
- (AlertID, TimeStamp, Severity, Category, Title, AttackTechniques)
AlertEvidence
- (AlertID, TimeStamp, DeviceID, DeviceName, FileName, SHA1, RemoteUrl, RemoteIP, ReportId, Table)


Apps & identities
-----------------
IdentityInfo
IdentityLogonEvents
IdentityQueryEvents
IdentityDirectoryEvents
CloudAppEvents (replaces AppFileEvents)


Email & collaboration
---------------------
EmailEvents
EmailAttachmentInfo
EmailUrlInfo
EmailPostDeliveryEvents


Devices
-------
DeviceInfo
DeviceNetworkInfo
DeviceProcessEvents
DeviceNetworkEvents
DeviceFileEvents
DeviceRegistryEvents
DeviceLogonEvents
DeviceImageLoadEvents
DeviceEvents
DeviceFileCertificateInfo

 

Threat & Vulnerability Management
---------------------------------
DeviceTvmSoftwareVulnerabilities (replaces DeviceTvmSoftwareInventoryVulnerabilities)
DeviceTvmSoftwareVulnerabilitiesKB
DeviceTvmSecureConfigurationAssessment
DeviceTvmConfigurationAssessmentKB
DeviceTvmSoftwareInventory (replaces DeviceTvmSoftwareInventoryVulnerabilities)
DeviceTvmInfoGathering
DeviceTvmInfoGatheringKB
DeviceTvmSoftwareEvidenceBeta


Missing tables
--------------
UrlClickEvents
AppFileEvents (deprecated)
AADSignInEventsBeta
AADSpnSignInEventsBeta
DeviceAlertEvents (deprecated)
DeviceTvmSoftwareInventoryVulnerabilities (deprecated)