A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and clicks a link to a known malicious domain. Which advanced hunting table should the analyst query to track the clicked URL?
EmailUrlInfo includes the URL, click status, and other URL-related details, making it suitable for tracking clicked links.
Why this answer
The EmailUrlInfo table in Advanced Hunting for Microsoft Defender XDR contains records of URLs that were present in emails, including the URL domain and whether the link was clicked. By joining EmailEvents with EmailUrlInfo on the NetworkMessageId, the analyst can identify when a user clicked a URL that leads to a known malicious domain, making it the correct table for tracking clicked URLs.
Exam trap
The trap here is that candidates often confuse EmailUrlInfo (which stores URL metadata and supports click tracking) with EmailEvents (which only contains email flow data), leading them to incorrectly select EmailEvents as the primary table for URL click analysis.
How to eliminate wrong answers
Option A is wrong because EmailEvents captures metadata about email delivery events (e.g., sender, recipient, delivery action) but does not include the specific URLs contained in the email or click actions. Option C is wrong because EmailAttachmentInfo tracks file attachments in emails, not URLs or link clicks. Option D is wrong because DeviceEvents logs system-level events on endpoints (e.g., process creation, registry changes) and does not contain email URL click data.