Query Details
Modifications To Safe Links Allow Click Through Policy
Query
OfficeActivity | where TimeGenerated > ago(90d) | where Operation == "Set-SafeLinksPolicy" | where parse_json(Parameters)[13].Value == "True" and parse_json(Parameters)[13].Name == "AllowClickThrough"
Explanation
This KQL (Kusto Query Language) query is searching through the OfficeActivity data to find specific events related to Safe Links policies. Here's a breakdown of what the query does in simple terms:
-
Time Filter: It looks at records from the last 90 days (
TimeGenerated > ago(90d)). -
Operation Filter: It filters the records to only include those where the operation performed was "Set-SafeLinksPolicy" (
Operation == "Set-SafeLinksPolicy"). -
Parameter Check: It further narrows down the results to those where, within the
Parametersfield, the 14th element (index 13) has aNameof "AllowClickThrough" and aValueof "True". This means it is looking for policy changes where the "Allow Click Through" option was enabled.
In summary, this query retrieves records of Safe Links policy changes made in the last 90 days where the "Allow Click Through" feature was turned on.
Details
Jay Kerai
Released: April 16, 2025
Tables
Keywords
Operators