Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Safe Links clicks from email messages, Teams, and Office 365 apps
| Attribute | Value |
|---|---|
| Category | Security, XDR |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AccountUpn | string | User Principal Name of the account that clicked on the link. |
| ActionType | string | Indicates whether the click was allowed or blocked by 'safe links' or blocked due to a tenant policy e.g., from tenant allow block list. |
| AppName | string | The application's display name as exposed by the associated service principal. |
| AppVersion | string | Version of the client application where click occurred |
| DetectionMethods | string | Detection technology which was used to identify the threat at the time of click. |
| IPAddress | string | Public IP address of the device from which the user clicked on the link. |
| IsClickedThrough | bool | Indicates whether the user was able to click through to the original URL or was not allowed. |
| NetworkMessageId | string | The unique identifier for the email that contains the clicked link, generated by Microsoft 365. |
| ReportId | string | This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event. |
| SourceId | string | Unique identifier for the source of the click |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatTypes | string | Verdict at the time of click, which tells whether the URL led to malware, phish or other threats. |
| TimeGenerated | datetime | The date and time when the user clicked on the link. The value is identical to TimeGenerated and intended for Microsoft Defender for Endpoints queries compatibility. |
| Type | string | The name of the table |
| Url | string | The full URL that was clicked on by the user. |
| UrlChain | string | For scenarios involving redirections, it includes URLs present in the redirection chain. |
| Workload | string | The application from which the user clicked on the link, with the values being Email, Office and Teams. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Power Apps - Multiple users access a malicious link after launching new app |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to UrlClickEvents |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to UrlClickEvents |
In solution Microsoft Defender XDR:
GitHub Only:
In solution Microsoft Defender XDR:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForOffice365detectionsandinsights |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊