Muokkaa

Jaa


UrlClickEvents

Events involving URLs clicked, selected, or requested on Microsoft Defender for Office 365.

Table attributes

Attribute Value
Resource types -
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation Yes
Sample Queries Yes

Columns

Column Type Description
AccountUpn string User Principal Name of the account that clicked on the link.
ActionType string Indicates whether the click was allowed or blocked by 'safe links' or blocked due to a tenant policy e.g., from tenant allow block list.
_BilledSize real The record size in bytes
DetectionMethods string Detection technology which was used to identify the threat at the time of click.
IPAddress string Public IP address of the device from which the user clicked on the link.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
IsClickedThrough bool Indicates whether the user was able to click through to the original URL or was not allowed.
NetworkMessageId string The unique identifier for the email that contains the clicked link, generated by Microsoft 365.
ReportId string This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId string The Log Analytics workspace ID
ThreatTypes string Verdict at the time of click, which tells whether the URL led to malware, phish or other threats.
TimeGenerated datetime The date and time when the user clicked on the link. The value is identical to TimeGenerated and intended for Microsoft Defender for Endpoints queries compatibility.
Type string The name of the table
Url string The full URL that was clicked on by the user.
UrlChain string For scenarios involving redirections, it includes URLs present in the redirection chain.
Workload string The application from which the user clicked on the link, with the values being Email, Office and Teams.