Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Introducing the UrlClickEvents table in advanced hunting with Microsoft Defender for Office 365
Published Apr 27 2022 09:00 AM 34.6K Views

We are excited to announce the public preview for a new data source in Microsoft 365 Defender advanced hunting—the UrlClickEvents table from Microsoft Defender for Office 365, with the changes starting to rollout today.  



The UrlClickEvents table is a critical source of information that your security and threat hunting teams can leverage to identify phishing campaigns, potentially malicious clicks, and use this information to respond to threats. The table contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps (in supported desktop, mobile, and web apps).



As a quick reminder, Safe Links is a feature in Microsoft Defender for Office 365 that provides URL scanning in mail flow, and time-of-click protection from URLs in email messages, Microsoft Teams and Office 365 apps. Safe Links scanning occurs in addition to the regular anti-spam, anti-phish, and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links helps protect your users and organization from malicious links that are used in phishing and other attacks.



The UrlClickEvents table schema consists of the following to help security teams hunt and investigate threats targeting their users and organization:


Column name



The date and time when the user clicked on the link


The full URL that was clicked on by the user


Indicates whether the click was allowed or blocked by Safe Links or blocked due to a tenant policy e.g., from Tenant Allow Block list


User Principal Name of the account that clicked on the link


The application from which the user clicked on the link, with the values being Email, Office and Teams


The unique identifier for the email that contains the clicked link, generated by Microsoft 365




Public IP address of the device from which the user clicked on the link



Verdict at the time of click, which tells whether the URL led to malware, phish or other threats


Detection technology which was used to identify the threat at the time of click


Indicates whether the user was able to click through to the original URL or was not allowed


For scenarios involving redirections, it includes URLs present in the redirection chain


This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.


Here are a few useful sample queries that can help your security teams get started:






// Search for malicious links where user was allowed to proceed through. 
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
| where ThreatTypes has "Phish"
| summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes, Timestamp








// For email clicks, join URLClickEvents with EmailEvents and EmailPostDeliveryEvents based on NetworkMessageId to determine clickthroughs, potential deliveries through User/Tenant overrides and detection details
| where ThreatTypes has "Phish"
| join EmailEvents on NetworkMessageId,  $left.AccountUpn == $right.RecipientEmailAddress
| project Timestamp, Url, ActionType, AccountUpn, ReportId, NetworkMessageId, ThreatTypes, IsClickedThrough, DeliveryLocation, OrgLevelAction, UserLevelAction








// Determining top clicks by URL and the corresponding Safe Links actions on each click along with user clickthrough 
| where Timestamp > ago(7d)
| extend UrlBlocked = ActionType has_any("ClickBlocked")
| extend UrlAllowed = ActionType has_any('ClickAllowed')
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), 
Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough)  by Url








// Merging Defender for Office 365 click data with Endpoint data
| extend Host = tostring(parse_url(Url).Host)
| join (DeviceNetworkEvents) on $left.Host == $right.RemoteUrl and $left.AccountUpn == $right .InitiatingProcessAccountUpn
| where (Timestamp - Timestamp1) between (0min .. 2min)
You could then join this to get the full device timeline







User clickthrough is a configurable setting in the Safe Links policies (see Do not allow users to click through to original URL, and read more over here: Safe Links settings.)


Note that for Teams and Office 365 clicks, NetworkMessageID contains a system generated GUID, and does not map to a Teams/Office 365 entity as of today. Also note that the client IP information is only available for email-based clicks, and is not available for Teams or Office 365 clicks currently.  We are looking to update these for Teams by the end of this quarter. The account UPN information is available for email and Teams based clicks and is not available for a subset of Office 365 clicks currently. It should be updated by the end of this quarter.



Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.

Version history
Last update:
‎Apr 27 2022 11:11 AM
Updated by: