Investigating IsClickedThrough in Microsoft Defender XDR.
The phishing email was delivered.
The user clicked the embedded link.
Microsoft Defender Safe Links inspected the destination.
But Agent Foskett needed to answer the question that mattered most.
Did the user stop at the warning, or continue through to the destination?
The answer was hidden inside IsClickedThrough.
Lesson overview
Learn how to investigate IsClickedThrough in UrlClickEvents and determine whether users continued through Safe Links protection to reach a destination.
Why IsClickedThrough matters
The fields used in this lesson
Step 1 — Review IsClickedThrough activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
UrlClickEvents
| where Timestamp > ago(30d)
| project Timestamp,
AccountUpn,
Url,
ActionType,
IsClickedThrough
| order by Timestamp desc
Step 2 — Find users who clicked through
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
UrlClickEvents
| where Timestamp > ago(30d)
| where IsClickedThrough == true
| project Timestamp,
AccountUpn,
Url,
ActionType
| order by Timestamp desc
Step 3 — Summarise click-through outcomes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
UrlClickEvents
| where Timestamp > ago(30d)
| summarize Clicks = count(),
Users = dcount(AccountUpn)
by IsClickedThrough
| order by Clicks desc
Step 4 — Investigate suspicious login URLs
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
UrlClickEvents
| where Timestamp > ago(30d)
| where Url contains "login"
| project Timestamp,
AccountUpn,
Url,
UrlChain,
ActionType,
IsClickedThrough
| order by Timestamp desc
Step 5 — Correlate clicks with email delivery
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| project Timestamp,
Subject,
SenderFromAddress,
RecipientEmailAddress,
AccountUpn,
Url,
ActionType,
IsClickedThrough
| order by Timestamp desc
Step 6 — Find users who clicked through more than once
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
UrlClickEvents
| where Timestamp > ago(30d)
| where IsClickedThrough == true
| summarize ClickThroughs = count(),
FirstClick = min(Timestamp),
LastClick = max(Timestamp)
by AccountUpn
| order by ClickThroughs desc
How to read the results
Common investigation uses
Common mistakes
What you learned
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating IsClickedThrough in Microsoft Defender XDR
Agent Foskett Academy Lesson 75 teaches defenders how to investigate IsClickedThrough during Microsoft Defender XDR URL click investigations.
Learn IsClickedThrough investigation in Defender XDR
This lesson explains how IsClickedThrough, UrlClickEvents, UrlChain, ActionType, AccountUpn, NetworkMessageId and EmailEvents help defenders determine whether users continued through Safe Links protection during phishing investigations.
