URL Clicks by Action | SOC Hunt Feed

Hunt Hypothesis

Users clicking on suspicious URLs may indicate potential phishing or credential compromise attempts, and proactively hunting for unusual URL click patterns in Azure Sentinel can help identify and mitigate advanced persistent threat (APT) activity leveraging social engineering tactics. This behavior aligns with MITRE T1566 and is critical for early detection of adversary-driven user interaction with malicious content.

KQL Query

UrlClickEvents
| summarize Count = count() by ActionType
| render piechart

Analytic Rule Definition

id: 4620ece3-dceb-4151-8621-5a56351c97cd
name: URL Clicks by Action
description: |
  Summarizes URL click events by action type to help analysts understand user click behavior and policy effectiveness.
  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  UrlClickEvents
  | summarize Count = count() by ActionType
  | render piechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`UrlClickEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/URL/URL Clicks by Action.yaml)

False Positive Guidance

Scenario: User clicks on a legitimate internal URL during a scheduled system maintenance task
Example: A system administrator clicks on a URL in an email notification about a scheduled backup job.
Filter/Exclusion: Exclude URLs containing internal, backup, or maintenance in the domain or path, or filter by user role (e.g., admin).
Scenario: Automated script or tool performs a URL click as part of a configuration update
Example: A PowerShell script runs a command that triggers a URL click to update a configuration setting in Azure AD.
Filter/Exclusion: Exclude events where the source is a known automation tool (e.g., PowerShell, Azure CLI, or Intune) or filter by user agent string.
Scenario: User clicks on a URL in a phishing simulation email
Example: A security awareness training tool sends a simulated phishing email with a click-through URL to test user response.
Filter/Exclusion: Exclude URLs associated with known security training platforms (e.g., PhishSim, KnowBe4, or SpearPhish) or filter by email sender domain.
Scenario: User clicks on a URL in a support ticket or helpdesk portal
Example: An employee clicks on a link in an email from the helpdesk to access a support portal.
Filter/Exclusion: Exclude URLs from trusted support domains (e.g., support.microsoft.com, service-now.com, or zendesk.com) or filter by email sender.
Scenario: Scheduled job or service performs a URL click for API integration testing
Example: A CI/CD pipeline runs a test that includes a URL click to validate an API endpoint.
Filter/Exclusion: Exclude events where the source is a CI/CD tool (e.g., Jenkins,