Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Events involving URLs clicked, selected, or requested on Microsoft Defender for Office 365.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | No |
| Ingestion-time transformation | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AccountUpn | string | User Principal Name of the account that clicked on the link. |
| ActionType | string | Indicates whether the click was allowed or blocked by 'safe links' or blocked due to a tenant policy e.g., from tenant allow block list. |
| _BilledSize | real | The record size in bytes |
| DetectionMethods | string | Detection technology which was used to identify the threat at the time of click. |
| IPAddress | string | Public IP address of the device from which the user clicked on the link. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| IsClickedThrough | bool | Indicates whether the user was able to click through to the original URL or was not allowed. |
| NetworkMessageId | string | The unique identifier for the email that contains the clicked link, generated by Microsoft 365. |
| ReportId | string | This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatTypes | string | Verdict at the time of click, which tells whether the URL led to malware, phish or other threats. |
| TimeGenerated | datetime | The date and time when the user clicked on the link. The value is identical to TimeGenerated and intended for Microsoft Defender for Endpoints queries compatibility. |
| Type | string | The name of the table |
| Url | string | The full URL that was clicked on by the user. |
| UrlChain | string | For scenarios involving redirections, it includes URLs present in the redirection chain. |
| Workload | string | The application from which the user clicked on the link, with the values being Email, Office and Teams. |