cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more
SOLVED

SafeLinks results in Microsoft 365 Defender incidents

slaimer
Copper Contributor

‎Feb 10 2023 12:13 AM

‎Feb 10 2023 12:13 AM

SafeLinks results in Microsoft 365 Defender incidents

Hello,

in Microsoft 365 Defender we receive an incident "Initial access incident on one endpoint reported by multiple sources" with alerts about ZAP'd emails and a "Suspicious URL clicked" alert generated by Defender for Endpoint.

The "Suspicious URL clicked" alert is marked "via safelink" so SafeLinks has checked the URL and returned the information to Defender for Endpoint.

 

But is there any way to be sure, based on the information in the Defender portal, that SafeLink has also definitely blocked access to the website? The displayed result is only "Detected."

 

In today's case, I saw connections from the browser to Safelinks IP addresses after the click event, and no more after that. So I can assume that the link was blocked or the user did not proceed, but I can't be sure without asking the user.

1,192 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by slaimer (Copper Contributor)
keenanbrooks

‎Feb 10 2023 04:45 AM

‎Feb 10 2023 04:45 AM

Solution

Re: SafeLinks results in Microsoft 365 Defender incidents

Within security.microsoft.com go to Explorer under Email & Collaboration. From here pop in the sender and go to the Top Clicks tab, this will show if it was blocked or allowed.
1 Like
Reply