New URL & domain pages in Microsoft 365 Defender
Published Jun 20 2022 08:12 AM 9,287 Views

Want to easily investigate, take actions and pivot on URLs and domains? The new URL & domain pages will make it easier than ever. 

Try it out: URL - Microsoft 365 security

Or you can navigate through incidents, alerts, advanced hunting or by searching URL. 

 See all URL information in one placeSee all URL information in one place


Now you will be able to:

  • Get Domain details
    Lets you spot newly registered domains at a glance right within the page and side panel. In an investigation, newly registered domains may be a useful indicator for a suspicious domain.
  • See the URL verdict
    We’ve added a new tile that shows the Microsoft verdict for malicious URLs, indicating whether the URL is known to be bad and why (observed in phishing, malware etc.)
  • Pivot to Threat explorer
    Navigate in context to Threat explorer to hunt for emails containing this URL or domain.  
  • See related incidents
    Review incidents in your environment that involve this URL or domain. This will help correlate the URL to the attack(s) it was observed in.

List of incidents the URL was involved inList of incidents the URL was involved in



More experiences:

Pivot from the URL to related devices

In a typical investigation, you may want to pivot from the URL to other related entities to


Devices who had events with this URLDevices who had events with this URL



explore the scope of the attack. For example, the devices where the URL was observed may be the next thing you want to look at. The device list now shows more details about the device - such as its risk level, operating system and more – helping you prioritize the next investigation step.

To make the pivoting easier and more efficient, you can now pivot to the device timeline directly from this list, to the first or last event that involved this URL or domain. And most importantly, you can look for related devices 6 months back with one click?



New Domain (FQDN) page
Aggregates information from different observed URLs under the same fully qualified domain name into one page. You can navigate easily from any specific URL page to the related domain page, for a broader view across multiple URLs. Investigations can now make use of new aggregated data points such as the domain prevalence & incidents.

Example: Domain - Microsoft 365 security


New domain page – aggregated informationNew domain page – aggregated information




With these new features, you can now easily investigate URLs, pivot to connected devices, uplevel to investigating the domain in aggregate, and block the malicious entity.


See also:

1 Comment
Version history
Last update:
‎Jun 20 2022 09:33 AM
Updated by: