Agent Foskett Academy • Lesson 76 • URL Click Investigation

Investigating ActionType in UrlClickEvents.

The phishing email was delivered.

The user clicked the embedded link.

Microsoft Defender Safe Links inspected the destination.

But Agent Foskett needed to answer the question that mattered most.

Did the user stop at the warning, or continue through to the destination?

The answer was hidden inside ActionType.

Agent Foskett Academy lesson explaining ActionType in Microsoft Defender XDR
Lesson overview

Learn how to investigate ActionType in UrlClickEvents and understand how Microsoft Defender recorded blocked clicks, allowed clicks, warnings and Safe Links outcomes.

Review click-through activity
Identify users who proceeded
Compare Safe Links outcomes
Prioritise risky user behaviour

Why ActionType matters

Not every URL click has the same security outcome. ActionType helps defenders understand how Microsoft Defender handled each click event.
It explains click outcomes ActionType shows whether Microsoft Defender allowed, blocked, warned or otherwise processed the URL click.
It prioritises response Users who clicked through to a suspicious destination may need faster password reset, session review and sign-in investigation.
It explains user behaviour This field helps defenders understand whether users obeyed warnings or continued through protection during a phishing event.

The fields used in this lesson

ActionType Indicates whether the user continued through Safe Links protection to reach the destination.
ActionType The click outcome recorded by Microsoft Defender Safe Links.
Url The URL involved in the click event.
AccountUpn The user account associated with the click activity.
UrlChain The redirect path followed during the click event.
NetworkMessageId Used to correlate click activity back to the email that delivered the link.

Step 1 — Review ActionType activity

Start by reviewing recent URL click records and the ActionType values Microsoft Defender recorded.
review-actiontype.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
UrlClickEvents
| where Timestamp > ago(30d)
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          ActionType
| order by Timestamp desc

Step 2 — Find allowed clicks

Focus on URL click events where Microsoft Defender recorded allowed activity.
allowed-clicks.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
UrlClickEvents
| where Timestamp > ago(30d)
| where ActionType has "Allowed"
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          IsClickedThrough
| order by Timestamp desc

Step 3 — Summarise click-through outcomes

Count click-through behaviour to understand how many users stopped and how many continued.
summarise-clickthrough.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
UrlClickEvents
| where Timestamp > ago(30d)
| summarize Clicks = count(),
            Users = dcount(AccountUpn)
          by ActionType
| order by Clicks desc

Step 4 — Investigate suspicious login URLs

Search for login-themed URLs and review whether users continued through Safe Links.
login-clickthrough.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
UrlClickEvents
| where Timestamp > ago(30d)
| where Url contains "login"
| project Timestamp,
          AccountUpn,
          Url,
          UrlChain,
          ActionType,
          ActionType
| order by Timestamp desc

Step 5 — Correlate clicks with email delivery

Use NetworkMessageId to connect click-through activity back to the message that delivered the link.
email-clickthrough-correlation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| project Timestamp,
          Subject,
          SenderFromAddress,
          RecipientEmailAddress,
          AccountUpn,
          Url,
          ActionType,
          ActionType
| order by Timestamp desc

Step 6 — Identify repeated allowed or warning activity

Repeated allowed or warning-related activity can identify users who may need urgent investigation or awareness support.
repeat-actiontype-users.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
UrlClickEvents
| where Timestamp > ago(30d)
| where ActionType has_any ("Allowed", "Warning", "Click")
| summarize ClickEvents = count(),
            FirstClick = min(Timestamp),
            LastClick = max(Timestamp)
          by AccountUpn, ActionType
| order by ClickEvents desc

How to read the results

ActionType should be treated as Defender action evidence. It becomes stronger when reviewed with UrlChain, IsClickedThrough and email context.
True requires attention A true value suggests the user continued through protection and may have reached the destination.
False still matters A false value does not mean the campaign was safe. It means the user did not continue through that click path.
ActionType completes the picture Review ActionType alongside IsClickedThrough to understand whether the click was allowed, blocked, warned or continued through.

Common investigation uses

Credential phishing Identify users who may have reached credential harvesting pages after Safe Links inspection.
User behaviour review Understand whether users followed security warnings or continued through to suspicious destinations.
Incident prioritisation Prioritise response for users who clicked through to suspicious or malicious destinations.
Post-click investigation Use click-through evidence to decide whether to review sign-ins, devices, sessions and mailbox activity.

Common mistakes

Assuming every allowed click is compromise An allowed click may still require more evidence. ActionType helps separate Defender outcomes from actual compromise.
Ignoring IsClickedThrough ActionType should be reviewed together with IsClickedThrough to understand whether the user continued beyond protection prompts.
Not checking what happened next If a user clicked through, defenders should review sign-ins, sessions, mailbox rules and endpoint activity.

What you learned

ActionType explains Defender handling It helps defenders determine whether a user continued through protection to the destination.
Click-through users need review Users who continue through warnings may need identity, session and endpoint investigation.
Clicks need context Use ActionType with UrlChain, IsClickedThrough, EmailEvents and identity evidence to understand the real risk.

Related Agent Foskett Academy lessons

Investigating UrlClickEvents Understand the table used to investigate URL click activity.
Advanced UrlClickEvents Investigations Build complete URL click investigation timelines.
Investigating UrlChain Trace redirects from original clicks to final destinations.
Investigating ReportId Correlate Defender XDR records during investigations.
Investigating InternetMessageId Identify email messages across Microsoft 365 investigations.
Investigating RecipientEmailAddress Identify users who received suspicious messages.

Coming next

Lesson 78 — Correlating EmailEvents with DeviceProcessEvents Next, Agent Foskett Academy shows how defenders correlate EmailEvents with DeviceProcessEvents to determine what executed on a device after a phishing email was delivered or an attachment was opened.
Why this matters Correlating EmailEvents with DeviceProcessEvents bridges the gap between email delivery and endpoint activity, helping defenders determine whether a phishing email resulted in malicious code execution.

Final thought

A URL click is not always the same as compromise. ActionType helps defenders understand how Microsoft Defender handled the user interaction.
Agent Foskett mindset Do not stop at clicked. Ask whether the user continued through protection and what happened next.
Follow the user decision The user's choice to continue or stop can change the priority and direction of the investigation.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD

Investigating ActionType in UrlClickEvents

Agent Foskett Academy Lesson 76 teaches defenders how to investigate ActionType in UrlClickEvents during Microsoft Defender XDR URL click investigations.

Learn ActionType investigation in Defender XDR

This lesson explains how ActionType, UrlClickEvents, UrlChain, IsClickedThrough, AccountUpn, NetworkMessageId and EmailEvents help defenders understand Microsoft Defender URL click outcomes during phishing investigations.