Correlating EmailEvents and UrlClickEvents in Microsoft Defender XDR.
The phishing email had been delivered.
Several users received it.
Some ignored it.
Others clicked the link.
Agent Foskett had email evidence in one table and click evidence in another.
To understand the full attack, he needed to bring EmailEvents and UrlClickEvents together.
Lesson overview
Learn how defenders correlate EmailEvents and UrlClickEvents to connect email delivery, recipient exposure, URL clicks, Safe Links outcomes and complete phishing investigation timelines.
Why correlation matters
The fields used in this lesson
Step 1 — Review suspicious email delivery
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
EmailEvents
| where Timestamp > ago(30d)
| where Subject contains "Password"
| project Timestamp,
NetworkMessageId,
SenderFromAddress,
RecipientEmailAddress,
Subject,
DeliveryAction
| order by Timestamp desc
Step 2 — Join EmailEvents with UrlClickEvents
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| project Timestamp,
Subject,
SenderFromAddress,
RecipientEmailAddress,
AccountUpn,
Url,
ActionType
| order by Timestamp desc
Step 3 — Find users who clicked
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| summarize Clicks = count(),
URLs = make_set(Url)
by RecipientEmailAddress,
AccountUpn,
Subject
| order by Clicks desc
Step 4 — Identify users who clicked through
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| where IsClickedThrough == true
| project Timestamp,
RecipientEmailAddress,
AccountUpn,
Subject,
Url,
ActionType
Step 5 — Build a phishing investigation timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| project Timestamp,
Subject,
SenderFromAddress,
RecipientEmailAddress,
AccountUpn,
Url,
UrlChain,
IsClickedThrough,
ActionType
| order by Timestamp asc
Step 6 — Count exposed users and clickers
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
EmailEvents
| join kind=leftouter UrlClickEvents on NetworkMessageId
| summarize Recipients = dcount(RecipientEmailAddress),
Clickers = dcount(AccountUpn)
by Subject,
SenderFromAddress
| order by Clickers desc
How to read the results
Common investigation uses
Common mistakes
What you learned
Related Agent Foskett Academy lessons
Coming next
Final thought
Correlating EmailEvents and UrlClickEvents in Microsoft Defender XDR
Agent Foskett Academy Lesson 77 teaches defenders how to correlate EmailEvents and UrlClickEvents during Microsoft Defender XDR phishing investigations.
Build complete phishing investigation timelines
This lesson explains how EmailEvents, UrlClickEvents, NetworkMessageId, RecipientEmailAddress, AccountUpn, Url, UrlChain, IsClickedThrough and ActionType help defenders connect email delivery with user click evidence.
