Query Details
List Safe Link Events
Query
# List SafeLink events ## Query Information #### Description This query lists all events that have triggered a URL block by safelinks. Those actions can be from multiple workloads: Teams, Office Applications or from email events. The URL click of the user will also generate a indincident itself. This query lists all events in one single view. Note: This query will only give results if safe links is enabled in your environment. #### Risk A phishing campaign has started and a user has clicked the url, the URL is blocked so the risk is limited. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide ## Defender For Endpoint ``` UrlClickEvents | where ActionType == "ClickBlocked" | project Timestamp, Url, Workload, AccountUpn, ThreatTypes, IsClickedThrough ``` ## Sentinel ``` UrlClickEvents | where ActionType == "ClickBlocked" | project TimeGenerated, Url, Workload, AccountUpn, ThreatTypes, IsClickedThrough ```
Explanation
This query lists all events where a URL has been blocked by SafeLinks. It includes events from various workloads such as Teams, Office Applications, and email. The query provides a single view of all these events. The purpose is to identify any phishing campaigns where users have clicked on blocked URLs. The risk is limited because the URLs are blocked. The query will only give results if SafeLinks is enabled in the environment.
Details
Bert-Jan Pals
Released: April 3, 2023
Tables
UrlClickEvents
Keywords
UrlClickEvents,ActionType,ClickBlocked,Timestamp,Url,Workload,AccountUpn,ThreatTypes,IsClickedThrough,TimeGenerated
Operators
whereproject