Agent Foskett Academy • Lesson 73 • URL Click Investigation

Advanced UrlClickEvents Investigations in Microsoft Defender XDR.

The phishing email looked convincing.

The sender passed casual inspection.

The user opened the message.

But Agent Foskett needed to answer the question that mattered most.

Did anyone actually click the link?

The answer was hidden inside UrlClickEvents.

Agent Foskett Academy lesson explaining advanced UrlClickEvents investigations in Microsoft Defender XDR
Lesson overview

Learn how defenders use UrlClickEvents to investigate Safe Links activity, user clicks, phishing URLs, click outcomes and post-delivery evidence in Microsoft Defender XDR.

Review recent URL clicks
Identify users who clicked phishing links
Correlate EmailEvents with UrlClickEvents
Build stronger phishing timelines

Why UrlClickEvents matters

Receiving a phishing email is not always the incident. The investigation often changes when a user clicks the link.
It shows user interactionUrlClickEvents helps defenders determine whether a user actually clicked a link inside a suspicious email.
It records click outcomesThe table helps explain whether the click was allowed, blocked, scanned or handled by Microsoft Safe Links protection.
It supports phishing timelinesClick evidence can be correlated with delivery, sender, recipient and endpoint activity to understand what happened after the email arrived.

The fields used in this lesson

TimestampThe time the URL click event was recorded.
AccountUpnThe user account associated with the URL click.
UrlThe URL that was clicked or evaluated.
ActionTypeThe action or outcome Microsoft recorded for the click.
NetworkMessageIdA message identifier that can help correlate URL click evidence back to the original email.
DeviceNameThe device context associated with the click when available.

Step 1 — Review recent URL clicks

Start by reviewing recent UrlClickEvents activity to understand who clicked links and when.
review-url-clicks.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
UrlClickEvents
| where Timestamp > ago(7d)
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          NetworkMessageId
| order by Timestamp desc

Step 2 — Investigate a specific user

When a user reports a phishing email, review their recent URL click activity to determine whether they interacted with the message.
specific-user-url-clicks.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
UrlClickEvents
| where Timestamp > ago(30d)
| where AccountUpn == "user@contoso.com"
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          NetworkMessageId
| order by Timestamp desc

Step 3 — Find clicks for suspicious URLs

Search for suspicious words, domains or URL patterns commonly seen in phishing campaigns.
suspicious-url-clicks.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
UrlClickEvents
| where Timestamp > ago(30d)
| where Url has_any ("login", "verify", "secure", "password", "invoice")
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          NetworkMessageId
| order by Timestamp desc

Step 4 — Summarise clicks by user

Use summarisation to understand whether one user clicked repeatedly or whether a campaign affected multiple users.
summarise-clicks-by-user.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
UrlClickEvents
| where Timestamp > ago(30d)
| summarize ClickCount = count(),
            FirstClick = min(Timestamp),
            LastClick = max(Timestamp)
          by AccountUpn
| order by ClickCount desc

Step 5 — Correlate UrlClickEvents with EmailEvents

Join click activity back to email delivery evidence using NetworkMessageId where available.
correlate-email-and-clicks.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
EmailEvents
| where Timestamp > ago(30d)
| join kind=inner (
    UrlClickEvents
    | where Timestamp > ago(30d)
) on NetworkMessageId
| project Timestamp,
          Subject,
          SenderFromAddress,
          RecipientEmailAddress,
          AccountUpn,
          Url,
          ActionType
| order by Timestamp desc

Step 6 — Build a click investigation timeline

Create a clean timeline that shows delivery context and click activity together.
url-click-investigation-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
EmailEvents
| where Timestamp > ago(30d)
| join kind=leftouter (
    UrlClickEvents
    | where Timestamp > ago(30d)
    | project ClickTime = Timestamp,
              NetworkMessageId,
              AccountUpn,
              Url,
              ActionType
) on NetworkMessageId
| project EmailTime = Timestamp,
          ClickTime,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          AccountUpn,
          Url,
          ActionType
| order by EmailTime desc, ClickTime desc

How to read the results

UrlClickEvents evidence should be interpreted alongside the original email, the recipient, the URL and the click outcome.
A click changes the riskIf a user clicked a phishing link, the investigation may need to expand into identity, endpoint and mailbox review.
Blocked does not always mean harmlessA blocked click still shows user intent and may indicate who was targeted or who needs follow-up awareness.
Correlate before concludingUse EmailEvents, NetworkMessageId, Subject and sender fields to confirm which email generated the click.

Common investigation uses

User-reported phishingConfirm whether the reporting user clicked the link before or after submitting the email.
Campaign scopingIdentify all users who clicked URLs related to the same phishing campaign.
Safe Links reviewUnderstand whether Microsoft allowed, blocked or otherwise processed the URL click.
Post-click investigationPivot from URL clicks into endpoint, identity and browser activity when a click may have led to compromise.

Common mistakes

Only checking EmailEventsThe email may look contained, but UrlClickEvents can reveal that users interacted with the threat.
Ignoring timingA click three days after delivery can still matter. Always review timestamps and user activity windows.
Assuming all clicks are equalAllowed, blocked, rewritten and scanned clicks can mean different things during an investigation.

What you learned

UrlClickEvents shows interactionIt helps defenders determine whether users clicked links related to suspicious emails.
Click evidence supports timelinesClick timestamps help explain what happened after email delivery.
Correlation is the keyEmailEvents and UrlClickEvents together provide a stronger phishing investigation than either table alone.

Related Agent Foskett Academy lessons

Investigating UrlClickEventsUnderstand the core UrlClickEvents table and how it supports Microsoft Defender XDR investigations.
Investigating EmailEventsReview the original email delivery evidence before analysing click activity.
Investigating NetworkMessageIdConnect the same email across message, URL, click and attachment telemetry.
Investigating RecipientEmailAddressIdentify which mailboxes received suspicious messages.
Investigating SubjectGroup phishing lures and campaign themes by subject line.
Connecting Tables with joinLearn how defenders connect related tables during Microsoft security investigations.

Coming next

Lesson 74 — Investigating UrlChain in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use UrlChain to follow redirects from the original clicked link through to the final destination.
Why this mattersAdvanced UrlClickEvents investigations show who clicked. UrlChain helps explain where the click actually went.

Final thought

A phishing email matters. A user click can turn that email into an active incident.
Agent Foskett mindsetDo not stop at delivery. Follow the click and confirm what the user actually did.
The click tells the next chapterUrlClickEvents helps defenders move from email evidence into real user interaction and possible compromise.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Advanced UrlClickEvents Investigations in Microsoft Defender XDR

Agent Foskett Academy Lesson 73 teaches defenders how to investigate UrlClickEvents during Microsoft Defender XDR phishing investigations.

Learn UrlClickEvents investigation in Defender XDR

This lesson explains how UrlClickEvents, EmailEvents, NetworkMessageId, AccountUpn, Url and ActionType help defenders investigate phishing clicks, Safe Links outcomes and post-delivery user interaction.