Advanced UrlClickEvents Investigations in Microsoft Defender XDR.
The phishing email looked convincing.
The sender passed casual inspection.
The user opened the message.
But Agent Foskett needed to answer the question that mattered most.
Did anyone actually click the link?
The answer was hidden inside UrlClickEvents.
Lesson overview
Learn how defenders use UrlClickEvents to investigate Safe Links activity, user clicks, phishing URLs, click outcomes and post-delivery evidence in Microsoft Defender XDR.
Why UrlClickEvents matters
The fields used in this lesson
Step 1 — Review recent URL clicks
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
UrlClickEvents
| where Timestamp > ago(7d)
| project Timestamp,
AccountUpn,
Url,
ActionType,
NetworkMessageId
| order by Timestamp desc
Step 2 — Investigate a specific user
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
UrlClickEvents
| where Timestamp > ago(30d)
| where AccountUpn == "user@contoso.com"
| project Timestamp,
AccountUpn,
Url,
ActionType,
NetworkMessageId
| order by Timestamp desc
Step 3 — Find clicks for suspicious URLs
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
UrlClickEvents
| where Timestamp > ago(30d)
| where Url has_any ("login", "verify", "secure", "password", "invoice")
| project Timestamp,
AccountUpn,
Url,
ActionType,
NetworkMessageId
| order by Timestamp desc
Step 4 — Summarise clicks by user
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
UrlClickEvents
| where Timestamp > ago(30d)
| summarize ClickCount = count(),
FirstClick = min(Timestamp),
LastClick = max(Timestamp)
by AccountUpn
| order by ClickCount desc
Step 5 — Correlate UrlClickEvents with EmailEvents
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
EmailEvents
| where Timestamp > ago(30d)
| join kind=inner (
UrlClickEvents
| where Timestamp > ago(30d)
) on NetworkMessageId
| project Timestamp,
Subject,
SenderFromAddress,
RecipientEmailAddress,
AccountUpn,
Url,
ActionType
| order by Timestamp desc
Step 6 — Build a click investigation timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
EmailEvents
| where Timestamp > ago(30d)
| join kind=leftouter (
UrlClickEvents
| where Timestamp > ago(30d)
| project ClickTime = Timestamp,
NetworkMessageId,
AccountUpn,
Url,
ActionType
) on NetworkMessageId
| project EmailTime = Timestamp,
ClickTime,
SenderFromAddress,
RecipientEmailAddress,
Subject,
AccountUpn,
Url,
ActionType
| order by EmailTime desc, ClickTime desc
How to read the results
Common investigation uses
Common mistakes
What you learned
Related Agent Foskett Academy lessons
Coming next
Final thought
Advanced UrlClickEvents Investigations in Microsoft Defender XDR
Agent Foskett Academy Lesson 73 teaches defenders how to investigate UrlClickEvents during Microsoft Defender XDR phishing investigations.
Learn UrlClickEvents investigation in Defender XDR
This lesson explains how UrlClickEvents, EmailEvents, NetworkMessageId, AccountUpn, Url and ActionType help defenders investigate phishing clicks, Safe Links outcomes and post-delivery user interaction.
