URL clicks actions by URL

Hunt Hypothesis

Adversaries may be attempting to exfiltrate data or establish command and control by clicking on malicious URLs, which is a common tactic in phishing and malware deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise early and prevent further lateral movement or data theft.

KQL Query

UrlClickEvents
| extend UrlBlocked = ActionType has_any("ClickBlocked")
| extend UrlAllowed = ActionType has_any('ClickAllowed')
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url

Analytic Rule Definition

id: bc46e331-3cb0-483d-9c90-989d2a59457f
name: URL clicks actions by URL
description: |
  In this query, we are looking URL click actions by URL in the last 7 days
description-detailed: |
  In this query, we are looking URL click actions by URL in the last 7 days using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
   - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  UrlClickEvents
  | extend UrlBlocked = ActionType has_any("ClickBlocked")
  | extend UrlAllowed = ActionType has_any('ClickAllowed')
  | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
  | extend ErrorPage = ActionType has_any('UrlErrorPage')
  | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url
version: 1.0.0 

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/URL Click/URL clicks actions by URL.yaml)

False Positive Guidance

• Scenario: A system administrator clicks on a URL in a support ticket to access a remote support tool.
  Filter/Exclusion: Exclude URLs containing support.ticket.system.com or any known internal support portal domains.

• Scenario: A scheduled job runs a script that downloads a configuration file from an internal repository.
  Filter/Exclusion: Exclude URLs that match the internal artifact repository (e.g., artifactory.internal.com or nexus.internal.com).

• Scenario: An employee clicks on a phishing link in a legitimate email from a known vendor (e.g., Microsoft or Google) during a security awareness training exercise.
  Filter/Exclusion: Exclude URLs from known training domains or those flagged as part of a security training program (e.g., training.microsoft.com or security.google.com).

• Scenario: A user clicks on a URL in a log file to access a diagnostic tool or support page.
  Filter/Exclusion: Exclude URLs that match internal diagnostic tools (e.g., diagtool.enterprise.com or support.diagtool.com).

• Scenario: A DevOps engineer clicks on a URL in a CI/CD pipeline to trigger a deployment or test script.
  Filter/Exclusion: Exclude URLs that match internal CI/CD endpoints (e.g., ci.pipeline.enterprise.com or jenkins.enterprise.com).