← Back to Explore
kqlHunting
Modifications to SafeLinks AllowClickThrough Policy
Detection Query
OfficeActivity
| where TimeGenerated > ago(90d)
| where Operation == "Set-SafeLinksPolicy"
| where parse_json(Parameters)[13].Value == "True" and parse_json(Parameters)[13].Name == "AllowClickThrough"Data Sources
OfficeActivity
Platforms
office-365
Tags
office-365
Raw Content
OfficeActivity
| where TimeGenerated > ago(90d)
| where Operation == "Set-SafeLinksPolicy"
| where parse_json(Parameters)[13].Value == "True" and parse_json(Parameters)[13].Name == "AllowClickThrough"