SafeLinks results in Microsoft 365 Defender incidents

slaimer · ‎Feb 10 2023

Hello,

in Microsoft 365 Defender we receive an incident "Initial access incident on one endpoint reported by multiple sources" with alerts about ZAP'd emails and a "Suspicious URL clicked" alert generated by Defender for Endpoint.

The "Suspicious URL clicked" alert is marked "via safelink" so SafeLinks has checked the URL and returned the information to Defender for Endpoint.

But is there any way to be sure, based on the information in the Defender portal, that SafeLink has also definitely blocked access to the website? The displayed result is only "Detected."

In today's case, I saw connections from the browser to Safelinks IP addresses after the click event, and no more after that. So I can assume that the link was blocked or the user did not proceed, but I can't be sure without asking the user.

slaimer · ‎Feb 10 2023

Within security.microsoft.com go to Explorer under Email & Collaboration. From here pop in the sender and go to the Top Clicks tab, this will show if it was blocked or allowed.

slaimer · ‎Feb 10 2023

Within security.microsoft.com go to Explorer under Email & Collaboration. From here pop in the sender and go to the Top Clicks tab, this will show if it was blocked or allowed.

View solution in original post

SafeLinks results in Microsoft 365 Defender incidents

SafeLinks results in Microsoft 365 Defender incidents

Re: SafeLinks results in Microsoft 365 Defender incidents

Re: SafeLinks results in Microsoft 365 Defender incidents

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

SafeLinks results in Microsoft 365 Defender incidents

SafeLinks results in Microsoft 365 Defender incidents

Re: SafeLinks results in Microsoft 365 Defender incidents

Re: SafeLinks results in Microsoft 365 Defender incidents