in Microsoft 365 Defender we receive an incident "Initial access incident on one endpoint reported by multiple sources" with alerts about ZAP'd emails and a "Suspicious URL clicked" alert generated by Defender for Endpoint.
The "Suspicious URL clicked" alert is marked "via safelink" so SafeLinks has checked the URL and returned the information to Defender for Endpoint.
But is there any way to be sure, based on the information in the Defender portal, that SafeLink has also definitely blocked access to the website? The displayed result is only "Detected."
In today's case, I saw connections from the browser to Safelinks IP addresses after the click event, and no more after that. So I can assume that the link was blocked or the user did not proceed, but I can't be sure without asking the user.