Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Safe Links clicks from email messages, Teams, and Office 365 apps
| Attribute | Value |
|---|---|
| Category | Security, XDR |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AccountUpn | string | User Principal Name of the account that clicked on the link. |
| ActionType | string | Indicates whether the click was allowed or blocked by 'safe links' or blocked due to a tenant policy e.g., from tenant allow block list. |
| AppName | string | The application's display name as exposed by the associated service principal. |
| AppVersion | string | Version of the client application where click occurred |
| DetectionMethods | string | Detection technology which was used to identify the threat at the time of click. |
| IPAddress | string | Public IP address of the device from which the user clicked on the link. |
| IsClickedThrough | bool | Indicates whether the user was able to click through to the original URL or was not allowed. |
| NetworkMessageId | string | The unique identifier for the email that contains the clicked link, generated by Microsoft 365. |
| ReportId | string | This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event. |
| SourceId | string | Unique identifier for the source of the click |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatTypes | string | Verdict at the time of click, which tells whether the URL led to malware, phish or other threats. |
| TimeGenerated | datetime | The date and time when the user clicked on the link. The value is identical to TimeGenerated and intended for Microsoft Defender for Endpoints queries compatibility. |
| Type | string | The name of the table |
| Url | string | The full URL that was clicked on by the user. |
| UrlChain | string | For scenarios involving redirections, it includes URLs present in the redirection chain. |
| Workload | string | The application from which the user clicked on the link, with the values being Email, Office and Teams. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Power Apps - Multiple users access a malicious link after launching new app |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to UrlClickEvents |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to UrlClickEvents |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Rare Domains in External Teams Messages | |
| Teams URL clicks actions summarized by URLs clicked on | Workload == "Teams" |
| Teams URL clicks through actions on Phish or Malware URLs summarized by URLs | ThreatTypes in "Malware,Phish" |
| Teams blocked URL clicks daily trend | |
| Top 10 Users clicking on malicious URLs in Teams | ThreatTypes in "Malware,Phish" |
| Top malicious URLs clicked by users in Teams |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Blocked Clicks Trend | |
| End user malicious clicks | ThreatTypes contains "Phish" |
| MDO_URLClickedinEmail | |
| Malicious Clicks allowed (click-through) | IsClickedThrough == "1" |
| Malicious URL Clicks by workload | |
| Possible device code phishing attempts | |
| Top 10 Users clicking on Malicious URLs (Malware) | ThreatTypes == "Malware" |
| Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam) | ThreatTypes has_any "Malware" |
| Top 10 Users clicking on Malicious URLs (Phish) | ThreatTypes == "Phish" |
| Top 10 Users clicking on Malicious URLs (Spam) | ThreatTypes == "Spam" |
| URL Click attempts by threat type | |
| URL Clicks by Action | |
| URL click count by click action | |
| URL clicks actions by URL | |
| User clicked through events | ThreatTypes has "Phish" |
| User clicks on malicious inbound emails | |
| User clicks on phishing URLs in emails | ThreatTypes has "Phish" |
In solution Microsoft Defender XDR:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForOffice365detectionsandinsights |
References by type: 0 connectors, 11 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ThreatTypes in "Malware,Phish" |
- | 2 | - | - | 2 |
ThreatTypes has "Phish" |
- | 2 | - | - | 2 |
ThreatTypes has_any "Malware" |
- | 1 | - | - | 1 |
Workload == "Teams" |
- | 1 | - | - | 1 |
IsClickedThrough == "1" |
- | 1 | - | - | 1 |
ThreatTypes == "Malware" |
- | 1 | - | - | 1 |
ThreatTypes == "Phish" |
- | 1 | - | - | 1 |
ThreatTypes == "Spam" |
- | 1 | - | - | 1 |
ThreatTypes contains "Phish" |
- | 1 | - | - | 1 |
| Total | 0 | 11 | 0 | 0 | 11 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
1 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Malware |
- | 3 | - | - | 3 |
Phish |
- | 3 | - | - | 3 |
has Phish |
- | 2 | - | - | 2 |
has_any Malware |
- | 1 | - | - | 1 |
Spam |
- | 1 | - | - | 1 |
contains Phish |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Teams |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊