List Safe Link Events
Query
UrlClickEvents
| where ActionType == "ClickBlocked"
| project Timestamp, Url, Workload, AccountUpn, ThreatTypes, IsClickedThroughAbout this query
List SafeLink events
Query Information
Description
This query lists all events that have triggered a URL block by safelinks. Those actions can be from multiple workloads: Teams, Office Applications or from email events. The URL click of the user will also generate a indincident itself. This query lists all events in one single view.
Note: This query will only give results if safe links is enabled in your environment.
Risk
A phishing campaign has started and a user has clicked the url, the URL is blocked so the risk is limited.
References
Defender XDR
Sentinel
UrlClickEvents
| where ActionType == "ClickBlocked"
| project TimeGenerated, Url, Workload, AccountUpn, ThreatTypes, IsClickedThrough
Explanation
This query is designed to list all events where SafeLinks has blocked a URL click. SafeLinks is a security feature that protects users by checking URLs for potential threats. The query captures events from various sources, such as Teams, Office applications, or email, where a URL was clicked and subsequently blocked due to being deemed unsafe.
Here's a simple breakdown of the query:
-
Purpose: To identify and list all instances where SafeLinks has blocked a URL click, indicating a potential phishing attempt or malicious link.
-
Data Sources: The query pulls data from events related to URL clicks across different workloads (e.g., Teams, Office apps, email).
-
Output: The query provides a consolidated view of these events, displaying the following details:
- Timestamp/TimeGenerated: When the event occurred.
- Url: The URL that was clicked and blocked.
- Workload: The application or service where the click occurred.
- AccountUpn: The user account that attempted to click the URL.
- ThreatTypes: The type of threat associated with the URL.
- IsClickedThrough: Indicates whether the user attempted to bypass the block.
-
Risk Context: The risk is limited because the URL was blocked, preventing potential harm from a phishing campaign.
-
Prerequisite: SafeLinks must be enabled in your environment for this query to return results.
This query is useful for security teams to monitor and respond to potential phishing threats by providing visibility into blocked URL click events.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators