Use the below queries to retrieve MDO - Safe Link activities from Microsoft 365 Defender
// Retrieve Safe Link activities
CloudAppEvents
| where ActionType == 'TIUrlClickData'
| extend xRawEventData = parse_json(RawEventData)
| extend clickactionId = tostring(parse_json(xRawEventData).UrlClickAction)
| extend ClickAction = iff(clickactionId == 2,"Blockpage",iff(clickactionId == 3,"PendingDetonationPage",iff(clickactionId == 4,"BlockPageOverride",iff(clickactionId == 5,"PendingDetonationPageOverride","Unknown"))))
| extend Url = tostring(parse_json(xRawEventData).Url)
| extend AppName = parse_json(xRawEventData).AppName
| extend SourceId = tostring(parse_json(xRawEventData).SourceId)
| extend UserId = parse_json(xRawEventData).UserId
| extend TimeOfClick = parse_json(xRawEventData).TimeOfClick
| extend EventDeepLink = parse_json(xRawEventData).EventDeepLink
| extend SourceWorkload = parse_json(xRawEventData).SourceWorkload
| extend OS = parse_json(xRawEventData).OS
| project Timestamp,TimeOfClick, ActionType, Application, AccountDisplayName, UserId,ClickAction, Url, AppName, SourceWorkload, OS
This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | v | |
| Execution | ||
| Persistence | ||
| Privilege escalation | ||
| Defense evasion | ||
| Credential Access | ||
| Discovery | ||
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | ||
| Vulnerability | ||
| Misconfiguration | ||
| Malware, component |
ttps://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#urlclickaction https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links
Contributor: Alex Verboon
Thanks mate. I could not find where the table was. It helps a lot because report from URL threat protection dashboard can be exported only for 1 day.