Investigating UrlChain in Microsoft Defender XDR.
The user clicked the link.
Safe Links recorded the event.
But the first URL was not where the browser actually ended up.
Agent Foskett needed to follow every redirect from the original click to the final destination.
The answer was hidden inside UrlChain.
In Microsoft Defender XDR, UrlChain helps defenders trace phishing redirects, uncover hidden infrastructure and understand where a user was really sent after clicking a link.
Lesson overview
Learn how to investigate UrlChain in UrlClickEvents and use it to trace redirects from the original clicked link to the final destination.
Why UrlChain matters
The fields used in this lesson
Step 1 — Review recent UrlChain activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
UrlClickEvents
| where Timestamp > ago(30d)
| where isnotempty(UrlChain)
| project Timestamp,
AccountUpn,
Url,
UrlChain,
ActionType
| order by Timestamp desc
Step 2 — Investigate a specific user's redirect path
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
UrlClickEvents
| where AccountUpn == "user@contoso.com"
| where Timestamp > ago(7d)
| project Timestamp,
Url,
UrlChain,
ActionType
| order by Timestamp desc
Step 3 — Find common redirect chains
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
UrlClickEvents
| where Timestamp > ago(30d)
| where isnotempty(UrlChain)
| summarize Clicks = count(), Users = dcount(AccountUpn)
by UrlChain
| order by Clicks desc
Step 4 — Search for suspicious redirect wording
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
UrlClickEvents
| where Timestamp > ago(30d)
| where UrlChain has_any ("login", "password", "verify", "invoice", "document")
| project Timestamp,
AccountUpn,
Url,
UrlChain,
ActionType
| order by Timestamp desc
Step 5 — Correlate redirect chains with email evidence
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
EmailEvents
| join kind=inner (
UrlClickEvents
| where isnotempty(UrlChain)
) on NetworkMessageId
| project Timestamp,
Subject,
SenderFromAddress,
RecipientEmailAddress,
AccountUpn,
Url,
UrlChain
Step 6 — Review blocked and allowed redirect activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
UrlClickEvents
| where Timestamp > ago(30d)
| where isnotempty(UrlChain)
| summarize Clicks = count(), Users = dcount(AccountUpn)
by ActionType,
UrlChain
| order by Clicks desc
How to read the results
Common investigation uses
Common mistakes
What you learned
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating UrlChain in Microsoft Defender XDR
Agent Foskett Academy Lesson 74 teaches defenders how to investigate UrlChain during Microsoft Defender XDR UrlClickEvents investigations.
Learn UrlChain investigation in Defender XDR
This lesson explains how UrlChain, UrlClickEvents, Url, AccountUpn, ActionType, NetworkMessageId and EmailEvents help defenders trace phishing redirects, uncover hidden infrastructure and investigate Safe Links click activity.
