Investigating ActionType in UrlClickEvents.
The phishing email was delivered.
The user clicked the embedded link.
Microsoft Defender Safe Links inspected the destination.
But Agent Foskett needed to answer the question that mattered most.
Did the user stop at the warning, or continue through to the destination?
The answer was hidden inside ActionType.
Lesson overview
Learn how to investigate ActionType in UrlClickEvents and understand how Microsoft Defender recorded blocked clicks, allowed clicks, warnings and Safe Links outcomes.
Why ActionType matters
The fields used in this lesson
Step 1 — Review ActionType activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
UrlClickEvents
| where Timestamp > ago(30d)
| project Timestamp,
AccountUpn,
Url,
ActionType,
ActionType
| order by Timestamp desc
Step 2 — Find allowed clicks
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
UrlClickEvents
| where Timestamp > ago(30d)
| where ActionType has "Allowed"
| project Timestamp,
AccountUpn,
Url,
ActionType,
IsClickedThrough
| order by Timestamp desc
Step 3 — Summarise click-through outcomes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
UrlClickEvents
| where Timestamp > ago(30d)
| summarize Clicks = count(),
Users = dcount(AccountUpn)
by ActionType
| order by Clicks desc
Step 4 — Investigate suspicious login URLs
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
UrlClickEvents
| where Timestamp > ago(30d)
| where Url contains "login"
| project Timestamp,
AccountUpn,
Url,
UrlChain,
ActionType,
ActionType
| order by Timestamp desc
Step 5 — Correlate clicks with email delivery
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| project Timestamp,
Subject,
SenderFromAddress,
RecipientEmailAddress,
AccountUpn,
Url,
ActionType,
ActionType
| order by Timestamp desc
Step 6 — Identify repeated allowed or warning activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
UrlClickEvents
| where Timestamp > ago(30d)
| where ActionType has_any ("Allowed", "Warning", "Click")
| summarize ClickEvents = count(),
FirstClick = min(Timestamp),
LastClick = max(Timestamp)
by AccountUpn, ActionType
| order by ClickEvents desc
How to read the results
Common investigation uses
Common mistakes
What you learned
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating ActionType in UrlClickEvents
Agent Foskett Academy Lesson 76 teaches defenders how to investigate ActionType in UrlClickEvents during Microsoft Defender XDR URL click investigations.
Learn ActionType investigation in Defender XDR
This lesson explains how ActionType, UrlClickEvents, UrlChain, IsClickedThrough, AccountUpn, NetworkMessageId and EmailEvents help defenders understand Microsoft Defender URL click outcomes during phishing investigations.
