New URL & domain pages in Microsoft 365 Defender

Want to easily investigate, take actions and pivot on URLs and domains? The new URL & domain pages will make it easier than ever. 

Try it out: URL - Microsoft 365 security

Or you can navigate through incidents, alerts, advanced hunting or by searching URL. 

 See all URL information in one place

Now you will be able to:

• Get Domain details
  Lets you spot newly registered domains at a glance right within the page and side panel. In an investigation, newly registered domains may be a useful indicator for a suspicious domain.
• See the URL verdict
  We’ve added a new tile that shows the Microsoft verdict for malicious URLs, indicating whether the URL is known to be bad and why (observed in phishing, malware etc.)
• Pivot to Threat explorer
  Navigate in context to Threat explorer to hunt for emails containing this URL or domain.  
• See related incidents
  Review incidents in your environment that involve this URL or domain. This will help correlate the URL to the attack(s) it was observed in.

List of incidents the URL was involved in

More experiences:

Pivot from the URL to related devices
In a typical investigation, you may want to pivot from the URL to other related entities to

Devices who had events with this URL

explore the scope of the attack. For example, the devices where the URL was observed may be the next thing you want to look at. The device list now shows more details about the device - such as its risk level, operating system and more – helping you prioritize the next investigation step.

To make the pivoting easier and more efficient, you can now pivot to the device timeline directly from this list, to the first or last event that involved this URL or domain. And most importantly, you can look for related devices 6 months back with one click?

New Domain (FQDN) page
Aggregates information from different observed URLs under the same fully qualified domain name into one page. You can navigate easily from any specific URL page to the related domain page, for a broader view across multiple URLs. Investigations can now make use of new aggregated data points such as the domain prevalence & incidents.

Example: Domain - Microsoft 365 security

New domain page – aggregated information

With these new features, you can now easily investigate URLs, pivot to connected devices, uplevel to investigating the domain in aggregate, and block the malicious entity.

See also:

• Investigate Microsoft Defender for Endpoint domains | Microsoft Docs
• Investigate connection events that occur behind forward proxies | Microsoft Docs