You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-urlclickevents-table.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,6 +49,8 @@ For information on other tables in the advanced hunting schema, see [the advance
49
49
|`UrlChain`|`string`| For scenarios involving redirections, it includes URLs present in the redirection chain|
50
50
|`ReportId`|`string`| The unique identifier for a click event. For clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.|
51
51
52
+
> [!NOTE]
53
+
> For clicks originating from email in Drafts and Sent items folders, email metadata is either not available or `NetworkMessageId` is assigned by default. In this case, `UrlClickEvents` can't be joined with `Email*` tables like `EmailEvents`, `EmailPostDeliveryEvents`, and others, using `NetworkMessageId`.
52
54
53
55
You can try this example query that uses the `UrlClickEvents` table to return a list of links where a user was allowed to proceed:
0 commit comments