Agent Foskett Academy • Lesson 13 • Investigating UrlClickEvents in Microsoft Defender XDR
Investigating UrlClickEvents in Microsoft Defender XDR
A phishing email was delivered.
The user clicked the link.
Then clicked it again.
EmailEvents showed the message arrived.
UrlClickEvents showed what happened next.
In this Agent Foskett Academy lesson, you will learn how defenders use UrlClickEvents to investigate Safe Links clicks, suspicious URLs, user activity, devices, timestamps and phishing activity inside Microsoft Defender XDR.
Lesson overview
Learn how to investigate user clicks, suspicious URLs, Safe Links telemetry and phishing activity using UrlClickEvents inside Microsoft Defender XDR.
Safe Links click activity
Suspicious URL investigations
Connecting email clicks to phishing evidence
Why UrlClickEvents matters
When investigating phishing attacks, defenders often start with EmailEvents.
But knowing an email was delivered is only part of the story.
The next question is simple:
Did the user click the link?
UrlClickEvents records Safe Links activity and helps defenders understand which URLs were clicked, who clicked them, when they clicked them and whether Microsoft identified a threat.
But knowing an email was delivered is only part of the story.
The next question is simple:
Did the user click the link?
UrlClickEvents records Safe Links activity and helps defenders understand which URLs were clicked, who clicked them, when they clicked them and whether Microsoft identified a threat.
Follow the clickIdentify who clicked suspicious links and when the activity occurred.
Investigate suspicious URLsSearch for domains, URLs, threat types and repeated click behaviour.
Find campaign patternsUse summarize, top, distinct and bin() to reveal click spikes and affected users.
Investigation scenario
A suspicious email bypasses initial review and reaches multiple users.
One employee reports the message.
The security analyst now needs to determine who clicked the link, how many times it was clicked, which URL was accessed and whether Microsoft classified the URL as malicious.
The investigation begins with UrlClickEvents.
One employee reports the message.
The security analyst now needs to determine who clicked the link, how many times it was clicked, which URL was accessed and whether Microsoft classified the URL as malicious.
The investigation begins with UrlClickEvents.
Step 1 — Review recent URL clicks
Start by reviewing recent Safe Links click activity and sorting the newest results first.
- 1
- 2
- 3
- 4
- 5
- 6
UrlClickEvents | where Timestamp > ago(7d) | project Timestamp, AccountUpn, Url, ActionType | order by Timestamp desc
Plain-English translation:
Show recent Safe Links click activity from the last seven days.
Show recent Safe Links click activity from the last seven days.
Step 2 — Investigate a suspicious domain
If the reported email contains a suspicious domain, use contains to find users who clicked links containing that value.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
UrlClickEvents | where Timestamp > ago(7d) | where Url contains "contoso-login" | project Timestamp, AccountUpn, Url | order by Timestamp desc
Plain-English translation:
Find users who clicked URLs containing a suspicious domain or keyword.
Find users who clicked URLs containing a suspicious domain or keyword.
Step 3 — Count clicks by user
summarize and count() help identify users with repeated click activity during the investigation window.
- 1
- 2
- 3
- 4
- 5
- 6
UrlClickEvents | where Timestamp > ago(7d) | summarize ClickCount=count() by AccountUpn | top 10 by ClickCount
Most active usersFind which accounts generated the most click activity.
Repeated click behaviourRepeated clicks may suggest confusion, persistence or an active phishing lure.
Potential phishing victimsUsers who clicked suspicious links may need account, session and device review.
Step 4 — Identify click spikes
bin() groups click activity into time windows, helping defenders identify bursts that may belong to a campaign.
- 1
- 2
- 3
- 4
- 5
- 6
UrlClickEvents | where Timestamp > ago(7d) | summarize ClickCount=count() by bin(Timestamp, 1h) | order by Timestamp asc
Plain-English translation:
Group URL click activity into hourly windows to identify unusual spikes.
Group URL click activity into hourly windows to identify unusual spikes.
Step 5 — Find unique URLs
distinct helps defenders understand which URLs appeared in the click telemetry without reviewing every repeated event.
- 1
- 2
- 3
- 4
- 5
UrlClickEvents | where Timestamp > ago(7d) | distinct Url
Plain-English translation:
Show every unique URL clicked during the investigation period.
Show every unique URL clicked during the investigation period.
Step 6 — Identify threat types
ThreatTypes can help identify URL clicks that Microsoft has associated with suspicious or malicious behaviour.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
UrlClickEvents | where Timestamp > ago(7d) | where ThreatTypes != "" | project Timestamp, AccountUpn, Url, ThreatTypes | order by Timestamp desc
Threat contextThreatTypes can provide useful classification clues during a URL investigation.
Safe Links telemetryUrlClickEvents helps defenders review user click behaviour after email delivery.
Next pivotA clicked URL can lead to device, identity, browser and sign-in investigation.
Putting it together
Once you understand the fields in UrlClickEvents, you can combine filtering, projection, grouping and ranking into a practical investigation workflow.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
UrlClickEvents | where Timestamp > ago(7d) | project Timestamp, AccountUpn, Url, ActionType, ThreatTypes | summarize ClickCount=count() by AccountUpn, ThreatTypes | top 10 by ClickCount
Start with the clickIdentify which accounts clicked suspicious URLs during the investigation window.
Shape the evidenceUse project and summarize to make click activity easier to read and explain.
Find the pivotUse clicked URLs, users and threat types to decide what to investigate next.
Investigator mindset
EmailEvents tells you the email arrived.
UrlClickEvents tells you what happened next.
Many phishing investigations begin with a suspicious message, but the strongest evidence often appears when defenders follow the click.
The logs already knew.
The defender simply followed the trail.
UrlClickEvents tells you what happened next.
Many phishing investigations begin with a suspicious message, but the strongest evidence often appears when defenders follow the click.
The logs already knew.
The defender simply followed the trail.
Who clicked?Identify the users who interacted with suspicious URLs.
What did they click?Review URL values, domains, action types and threat classifications.
Where should I pivot next?Use the clicked URL, user account, device and timestamp as the next investigation leads.
What you learned
In this lesson, you learned how UrlClickEvents helps defenders investigate user click behaviour after suspicious email delivery.
Understanding UrlClickEventsUrlClickEvents helps defenders review Safe Links click telemetry inside Microsoft Defender XDR.
Investigating suspicious linksKQL can help identify suspicious domains, clicked URLs, users and threat classifications.
Tracking phishing activityClick timestamps, users and URLs can reveal repeated activity, campaigns and investigation pivots.
Continue your investigation
The next step is learning how to connect tables together so defenders can follow evidence from email delivery to URL clicks and endpoint activity.
Agent Foskett Academy
Return to the full Academy learning path and review earlier KQL foundation lessons.
The Link Was Clicked After The Email Was Delivered
Continue into a real-world Agent Foskett investigation about email delivery, link clicks and post-delivery evidence.
Continue learning with EmailEvents KQL Guide, Email Spoofing KQL, KQL Threat Hunting Guide, Microsoft Security and the GEMXIT Security Review.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD