Introducing the UrlClickEvents table in advanced hunting with Microsoft Defender for Office 365

Published Apr 27 2022 09:00 AM 6,378 Views
Microsoft

We are excited to announce the public preview for a new data source in Microsoft 365 Defender advanced hunting—the UrlClickEvents table from Microsoft Defender for Office 365, with the changes starting to rollout today.  

 

 

The UrlClickEvents table is a critical source of information that your security and threat hunting teams can leverage to identify phishing campaigns, potentially malicious clicks, and use this information to respond to threats. The table contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps (in supported desktop, mobile, and web apps).

 

 

As a quick reminder, Safe Links is a feature in Microsoft Defender for Office 365 that provides URL scanning in mail flow, and time-of-click protection from URLs in email messages, Microsoft Teams and Office 365 apps. Safe Links scanning occurs in addition to the regular anti-spam, anti-phish, and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links helps protect your users and organization from malicious links that are used in phishing and other attacks.

 

 

The UrlClickEvents table schema consists of the following to help security teams hunt and investigate threats targeting their users and organization:

 

Column name

Description

Timestamp

The date and time when the user clicked on the link

Url

The full URL that was clicked on by the user

ActionType

Indicates whether the click was allowed or blocked by Safe Links or blocked due to a tenant policy e.g., from Tenant Allow Block list

AccountUpn

User Principal Name of the account that clicked on the link

Workload

The application from which the user clicked on the link, with the values being Email, Office and Teams

NetworkMessageId

The unique identifier for the email that contains the clicked link, generated by Microsoft 365

 

IPAddress

 

Public IP address of the device from which the user clicked on the link

ThreatTypes

 

Verdict at the time of click, which tells whether the URL led to malware, phish or other threats

DetectionMethods

Detection technology which was used to identify the threat at the time of click

IsClickedThrough

Indicates whether the user was able to click through to the original URL or was not allowed

UrlChain

For scenarios involving redirections, it includes URLs present in the redirection chain

ReportId

This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.

 

Here are a few useful sample queries that can help your security teams get started:

 

 

 

 

 

// Search for malicious links where user was allowed to proceed through. 
UrlClickEvents
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
| where ThreatTypes has "Phish"
| summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes, Timestamp

 

 

 

 

 

 

 

// For email clicks, join URLClickEvents with EmailEvents and EmailPostDeliveryEvents based on NetworkMessageId to determine clickthroughs, potential deliveries through User/Tenant overrides and detection details
UrlClickEvents
| where ThreatTypes has "Phish"
| join EmailEvents on NetworkMessageId,  $left.AccountUpn == $right.RecipientEmailAddress
| project Timestamp, Url, ActionType, AccountUpn, ReportId, NetworkMessageId, ThreatTypes, IsClickedThrough, DeliveryLocation, OrgLevelAction, UserLevelAction

 

 

 

 

 

 

 

// Determining top clicks by URL and the corresponding Safe Links actions on each click along with user clickthrough 
UrlClickEvents
| where Timestamp > ago(7d)
| extend UrlBlocked = ActionType has_any("ClickBlocked")
| extend UrlAllowed = ActionType has_any('ClickAllowed')
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), 
Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough)  by Url

 

 

 

 

 

 

 

// Merging Defender for Office 365 click data with Endpoint data
UrlClickEvents
| extend Host = tostring(parse_url(Url).Host)
| join (DeviceNetworkEvents) on $left.Host == $right.RemoteUrl and $left.AccountUpn == $right .InitiatingProcessAccountUpn
| where (Timestamp - Timestamp1) between (0min .. 2min)
You could then join this to get the full device timeline

 

 

 

 

 

 

User clickthrough is a configurable setting in the Safe Links policies (see Do not allow users to click through to original URL, and read more over here: Safe Links settings.)

 

Note that for Teams and Office 365 clicks, NetworkMessageID contains a system generated GUID, and does not map to a Teams/Office 365 entity as of today. Also note that the client IP information is only available for email-based clicks, and is not available for Teams or Office 365 clicks currently.  We are looking to update these for Teams by the end of this quarter. The account UPN information is available for email and Teams based clicks and is not available for a subset of Office 365 clicks currently. It should be updated by the end of this quarter.

 

 

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.

%3CLINGO-SUB%20id%3D%22lingo-sub-3295096%22%20slang%3D%22en-US%22%3EIntroducing%20the%20UrlClickEvents%20table%20in%20advanced%20hunting%20with%20Microsoft%20Defender%20for%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3295096%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20excited%20to%20announce%20the%20public%20preview%20for%20a%20new%20data%20source%20in%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmtpah%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Defender%20advanced%20hunting%3C%2FA%3E%E2%80%94the%20UrlClickEvents%20table%20from%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Foverview%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20for%20Office%20365%3C%2FA%3E%2C%20with%20the%20changes%20starting%20to%20rollout%20today.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20UrlClickEvents%20table%20is%20a%20critical%20source%20of%20information%20that%20your%20security%20and%20threat%20hunting%20teams%20can%20leverage%20to%20identify%20phishing%20campaigns%2C%20potentially%20malicious%20clicks%2C%20and%20use%20this%20information%20to%20respond%20to%20threats.%20The%20table%20contains%20information%20about%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fsafe-links%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESafe%20Links%3C%2FA%3E%20clicks%20from%20email%20messages%2C%20Microsoft%20Teams%2C%20and%20Office%20365%20apps%20(in%20supported%20desktop%2C%20mobile%2C%20and%20web%20apps).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20a%20quick%20reminder%2C%20Safe%20Links%20is%20a%20feature%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fdefender-for-office-365%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20for%20Office%20365%3C%2FA%3E%26nbsp%3Bthat%20provides%20URL%20scanning%20in%20mail%20flow%2C%20and%20time-of-click%20protection%20from%20URLs%20in%20email%20messages%2C%20Microsoft%20Teams%20and%20Office%20365%20apps.%20Safe%20Links%20scanning%20occurs%20in%20addition%20to%20the%20regular%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fanti-spam-and-anti-malware-protection%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eanti-spam%2C%20anti-phish%2C%20and%20anti-malware%20protection%3C%2FA%3E%26nbsp%3Bin%20inbound%20email%20messages%20in%20Exchange%20Online%20Protection%20(EOP).%20Safe%20Links%20helps%20protect%20your%20users%20and%20organization%20from%20malicious%20links%20that%20are%20used%20in%20phishing%20and%20other%20attacks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20UrlClickEvents%20table%20schema%20consists%20of%20the%20following%20to%20help%20security%20teams%20hunt%20and%20investigate%20threats%20targeting%20their%20users%20and%20organization%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3E%3CSTRONG%3E%3CEM%3EColumn%20name%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3E%3CSTRONG%3E%3CEM%3EDescription%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ETimestamp%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EThe%20date%20and%20time%20when%20the%20user%20clicked%20on%20the%20link%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EUrl%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EThe%20full%20URL%20that%20was%20clicked%20on%20by%20the%20user%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EActionType%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EIndicates%20whether%20the%20click%20was%20allowed%20or%20blocked%20by%20Safe%20Links%20or%20blocked%20due%20to%20a%20tenant%20policy%20e.g.%2C%20from%20Tenant%20Allow%20Block%20list%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EAccountUpn%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EUser%20Principal%20Name%20of%20the%20account%20that%20clicked%20on%20the%20link%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EWorkload%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EThe%20application%20from%20which%20the%20user%20clicked%20on%20the%20link%2C%20with%20the%20values%20being%20Email%2C%20Office%20and%20Teams%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ENetworkMessageId%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EThe%20unique%20identifier%20for%20the%20email%20that%20contains%20the%20clicked%20link%2C%20generated%20by%20Microsoft%20365%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EIPAddress%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EPublic%20IP%20address%20of%20the%20device%20from%20which%20the%20user%20clicked%20on%20the%20link%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EThreatTypes%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EVerdict%20at%20the%20time%20of%20click%2C%20which%20tells%20whether%20the%20URL%20led%20to%20malware%2C%20phish%20or%20other%20threats%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EDetectionMethods%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EDetection%20technology%20which%20was%20used%20to%20identify%20the%20threat%20at%20the%20time%20of%20click%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EIsClickedThrough%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3E%3CSPAN%3EIndicates%20whether%20the%20user%20was%20able%20to%20click%20through%20to%20the%20original%20URL%20or%20was%20not%20allowed%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EUrlChain%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EFor%20scenarios%20involving%20redirections%2C%20it%20includes%20URLs%20present%20in%20the%20redirection%20chain%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EReportId%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22480%22%3E%3CP%3EThis%20is%20the%20unique%20identifier%20for%20a%20click%20event.%20Note%20that%20for%20clickthrough%20scenarios%2C%20report%20ID%20would%20have%20same%20value%2C%20and%20therefore%20it%20should%20be%20used%20to%20correlate%20a%20click%20event.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20a%20few%20useful%20sample%20queries%20that%20can%20help%20your%20security%20teams%20get%20started%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3E%2F%2F%20Search%20for%20malicious%20links%20where%20user%20was%20allowed%20to%20proceed%20through.%20%0AUrlClickEvents%0A%7C%20where%20ActionType%20%3D%3D%20%22ClickAllowed%22%20or%20IsClickedThrough%20!%3D%220%22%0A%7C%20where%20ThreatTypes%20has%20%22Phish%22%0A%7C%20summarize%20by%20ReportId%2C%20IsClickedThrough%2C%20AccountUpn%2C%20NetworkMessageId%2C%20ThreatTypes%2C%20Timestamp%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3E%2F%2F%20For%20email%20clicks%2C%20join%20URLClickEvents%20with%20EmailEvents%20and%20EmailPostDeliveryEvents%20based%20on%20NetworkMessageId%20to%20determine%20clickthroughs%2C%20potential%20deliveries%20through%20User%2FTenant%20overrides%20and%20detection%20details%0AUrlClickEvents%0A%7C%20where%20ThreatTypes%20has%20%22Phish%22%0A%7C%20join%20EmailEvents%20on%20NetworkMessageId%2C%20%20%24left.AccountUpn%20%3D%3D%20%24right.RecipientEmailAddress%0A%7C%20project%20Timestamp%2C%20Url%2C%20ActionType%2C%20AccountUpn%2C%20ReportId%2C%20NetworkMessageId%2C%20ThreatTypes%2C%20IsClickedThrough%2C%20DeliveryLocation%2C%20OrgLevelAction%2C%20UserLevelAction%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3E%2F%2F%20Determining%20top%20clicks%20by%20URL%20and%20the%20corresponding%20Safe%20Links%20actions%20on%20each%20click%20along%20with%20user%20clickthrough%20%0AUrlClickEvents%0A%7C%20where%20Timestamp%20%26gt%3B%20ago(7d)%0A%7C%20extend%20UrlBlocked%20%3D%20ActionType%20has_any(%22ClickBlocked%22)%0A%7C%20extend%20UrlAllowed%20%3D%20ActionType%20has_any('ClickAllowed')%0A%7C%20extend%20UrlPendingVerdict%20%3D%20ActionType%20has_any('UrlScanInProgress')%0A%7C%20extend%20ErrorPage%20%3D%20ActionType%20has_any('UrlErrorPage')%0A%7C%20summarize%20Blocked%20%3D%20countif(UrlBlocked)%2C%20Allowed%20%3D%20countif(UrlAllowed)%2C%20PendingVerdict%20%3D%20countif(UrlPendingVerdict)%2C%20%0AError%20%3D%20countif(ErrorPage)%2C%20ClickedThrough%20%3D%20countif(IsClickedThrough)%20%20by%20Url%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3E%2F%2F%20Merging%20Defender%20for%20Office%20365%20click%20data%20with%20Endpoint%20data%0AUrlClickEvents%0A%7C%20extend%20Host%20%3D%20tostring(parse_url(Url).Host)%0A%7C%20join%20(DeviceNetworkEvents)%20on%20%24left.Host%20%3D%3D%20%24right.RemoteUrl%20and%20%24left.AccountUpn%20%3D%3D%20%24right%20.InitiatingProcessAccountUpn%0A%7C%20where%20(Timestamp%20-%20Timestamp1)%20between%20(0min%20..%202min)%0AYou%20could%20then%20join%20this%20to%20get%20the%20full%20device%20timeline%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUser%20clickthrough%20is%20a%20configurable%20setting%20in%20the%20Safe%20Links%20policies%20(see%20%3CSTRONG%3EDo%20not%20allow%20users%20to%20click%20through%20to%20original%20URL%3C%2FSTRONG%3E%2C%20and%20read%20more%20over%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fsafe-links%3Fview%3Do365-worldwide%23safe-links-settings-for-email-messages%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESafe%20Links%20settings%3C%2FA%3E.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20that%20for%20Teams%20and%20Office%20365%20clicks%2C%20NetworkMessageID%20contains%20a%20system%20generated%20GUID%2C%20and%20does%20not%20map%20to%20a%20Teams%2FOffice%20365%20entity%20as%20of%20today.%20Also%20note%20that%20the%20client%20IP%20information%20is%20only%20available%20for%20email-based%20clicks%2C%20and%20is%20not%20available%20for%20Teams%20or%20Office%20365%20clicks%20currently.%20%26nbsp%3BWe%20are%20looking%20to%20update%20these%20for%20Teams%20by%20the%20end%20of%20this%20quarter.%20The%20account%20UPN%20information%20is%20available%20for%20email%20and%20Teams%20based%20clicks%20and%20is%20not%20available%20for%20a%20subset%20of%20Office%20365%20clicks%20currently.%20It%20should%20be%20updated%20by%20the%20end%20of%20this%20quarter.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDo%20you%20have%20questions%20or%20feedback%20about%20Microsoft%20Defender%20for%20Office%20365%3F%20Engage%20with%20the%20community%20and%20Microsoft%20experts%20in%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMDOForum%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDefender%20for%20Office%20365%20forum%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3295096%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3EWe%20are%20excited%20to%20announce%20the%20public%20preview%20for%20a%20new%20data%20source%20in%20Microsoft%20365%20Defender%20advanced%20hunting%26nbsp%3B%E2%80%94the%20UrlClickEvents%20table%20from%20Microsoft%20Defender%20for%20Office%20365.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GiulianGarruba_0-1651083095933.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F367398i7A0F16BB2E72B380%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22GiulianGarruba_0-1651083095933.png%22%20alt%3D%22GiulianGarruba_0-1651083095933.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3295096%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBEC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPhishing%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Apr 27 2022 11:11 AM
Updated by: