Skip to main content

Microsoft 365 Defender - Get Email URL Clicks

This Playbook is part of the Microsoft 365 Defender Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook retrieves email data based on the URLDomain and MessageID inputs. It uses the Microsoft Defender XDR's Advanced Hunting to search only for URL click events based on the playbook inputs and enriches it with the full email data.

URLDomain - If the “URLDomain” value is found as a substring of the URL(s) in the body of the email, the email is retrieved.

MessageID - The message ID of the email from which the URL was clicked. Note that this can be either of the following 2 values:

  • The value of the header "Message-ID".
  • The internal ID of the message within Microsoft's products (e.g., NetworkMessageId).

Can be a single MessageID or an array of MessageIDs to search.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • Microsoft 365 Defender

Scripts#

  • IsIntegrationAvailable
  • SetAndHandleEmpty

Commands#

  • microsoft-365-defender-advanced-hunting

Playbook Inputs#


NameDescriptionDefault ValueRequired
URLDomainRepresents a domain or URL. Can be a single domain or URL, or an array of domains or URLs to search. The search looks for URLs containing this input that were clicked within emails.Optional
MessageIDMessageID of the email from which the URL was clicked. Note that this can be either of the following 2 values:
- The value of the header "Message-ID".
- The internal ID of the message within Microsoft's products (e.g., NetworkMessageId).

Can be a single MessageID or an array of MessageIDs to search.
Optional
TimeoutThe time limit in seconds for the HTTP request to run. Default is 120.120Optional
SearchTimeframeNumber of days past to search. Default is 7.7Optional
ResultsLimitNumber of retrieved entries. Enter -1 for unlimited query. 50 is the default.50Optional
ListenerMailboxThe mailbox of the listening integration. In case it is provided, the emails found in it will be ignored.Optional

Playbook Outputs#


PathDescriptionType
Microsoft365Defender.RetrievedEmails.UrlCountNumber of embedded URLs in the email.number
Microsoft365Defender.RetrievedEmails.InternetMessageIdPublic-facing identifier for the email that is set by the sending email system. This is the value of the "Message-ID" header.string
Microsoft365Defender.RetrievedEmails.SenderFromDomainSender domain in the FROM header, which is visible to email recipients on their email clients.string
Microsoft365Defender.RetrievedEmails.EmailDirectionDirection of the email relative to your network: Inbound, Outbound, Intra-org.string
Microsoft365Defender.RetrievedEmails.AccountUpnUser principal name (UPN) of the account.string
Microsoft365Defender.RetrievedEmails.IsClickedThroughIndicates whether the user was able to click through to the original URL or not.number
Microsoft365Defender.RetrievedEmails.DeliveryLocationLocation where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items.string
Microsoft365Defender.RetrievedEmails.AuthenticationDetailsList of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth).string
Microsoft365Defender.RetrievedEmails.DeliveryActionDelivery action of the email: Delivered, Junked, Blocked, or Replaced.string
Microsoft365Defender.RetrievedEmails.BulkComplaintLevelThreshold assigned to emails from bulk mailers. A high bulk complain level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam.string
Microsoft365Defender.RetrievedEmails.SubjectSubject of the email.string
Microsoft365Defender.RetrievedEmails.AttachmentCountNumber of attachments in the email.number
Microsoft365Defender.RetrievedEmails.IPAddressIP address assigned to the device during communication.string
Microsoft365Defender.RetrievedEmails.DetectionMethodsMethods used to detect whether the URL contains or leads to malware, phishing, or other threats.string
Microsoft365Defender.RetrievedEmails.ThreatNamesDetection name for malware or other threats found.string
Microsoft365Defender.RetrievedEmails.UrlURL that was clicked.string
Microsoft365Defender.RetrievedEmails.ActionTypeType of activity that triggered the event.string
Microsoft365Defender.RetrievedEmails.RecipientEmailAddressEmail address of the recipient, or email address of the recipient after distribution list expansion.string
Microsoft365Defender.RetrievedEmails.EmailActionFinal action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, Send to quarantine, No action taken, Bcc message.string
Microsoft365Defender.RetrievedEmails.UrlChainList of URLs in the redirection chain.string
Microsoft365Defender.RetrievedEmails.NetworkMessageIdUnique identifier for the email, generated by Office 365.string
Microsoft365Defender.RetrievedEmails.SenderFromAddressSender email address in the FROM header, which is visible to email recipients on their email clients.string
Microsoft365Defender.RetrievedEmails.TimestampDate and time when the record was generated (email event).string
Microsoft365Defender.RetrievedEmails.DisplayNameName of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname.string
Microsoft365Defender.RetrievedEmails.SenderIPv4IPv4 address of the last detected mail server that relayed the message.string
Microsoft365Defender.RetrievedEmails.ConfidenceLevelList of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low".string
Microsoft365Defender.RetrievedEmails.SenderMailFromDomainSender domain in the MAIL FROM header, also known as the envelope sender or the Return-Path address.string
Microsoft365Defender.RetrievedEmails.SenderIPv6IPv6 address of the last detected mail server that relayed the message.string
Microsoft365Defender.RetrievedEmails.SenderMailFromAddressSender email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address.string
Microsoft365Defender.RetrievedEmails.ThreatTypesVerdict from the email filtering stack on whether the email contains malware, phishing, or other threats.unknown
Microsoft365Defender.RetrievedEmailsEmail objects containing relevant fields related to URL click events.string
Microsoft365Defender.RetrievedEmails.ClickTimestampDate and time when the record was generated (URL click).unknown

Playbook Image#


Microsoft Defender XDR - Get Email URL Clicks