URL click count by click action

Hunt Hypothesis

This query helps reviewing URL click count by ClickAction

KQL Query

UrlClickEvents 
| extend UrlBlocked = ActionType has_any("ClickBlocked") 
| extend UrlAllowed = ActionType has_any('ClickAllowed') 
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress') 
| extend ErrorPage = ActionType has_any('UrlErrorPage') 
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough)

Analytic Rule Definition

id: 3f007cdc-86bf-4657-9015-05101a3e54f5
name: URL click count by click action
description: |
  This query helps reviewing URL click count by ClickAction
description-detailed: |
  This query helps reviewing URL click count by ClickAction using Defender for Office 365 data.
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  UrlClickEvents 
  | extend UrlBlocked = ActionType has_any("ClickBlocked") 
  | extend UrlAllowed = ActionType has_any('ClickAllowed') 
  | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress') 
  | extend ErrorPage = ActionType has_any('UrlErrorPage') 
  | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough)
version: 1.0.0

Required Data Sources

False Positive Guidance

• Scenario: Scheduled URL scanning job by endpoint security tool
  Description: A security tool like Crowd

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/URL Click/URL click count by click action.yaml)