This demo builds an Advanced hunting query in Microsoft 365 Defender to find URL clicks that result in file downloads. It starts with browser navigation in DeviceEvents, connects it to downloaded file activity in DeviceFileEvents, then brings in UrlClickEvents so you can tell when a downloaded file traces back to a link clicked from an email (including the network message ID). The walkthrough turns the query into a reusable pattern—defining variables with let, joining tables on DeviceId and RemoteUrl, pulling in SmartScreen URL warnings with a leftouter join, and projecting the key columns (timestamp, file name, remote URL, warning signals, email-click context). It also addresses common attacker behavior like chained redirects by extending the logic to consider referral URLs, so you can catch “clicked A, downloaded B” paths that would otherwise slip by.
We produced this as a power-user tutorial that stays practical—less theory, more “here’s the exact query shape you’ll reuse.” Preproduction focused on the story arc, production captured clean UI and readable code with narration that calls out why each join matters, and post kept the pacing tight while still letting viewers absorb the structure. Delivered with closed captions, audio description, and thumbnails.
The inevitable sequels
Hollywood keeps stretching good ideas into progressively worse sequels. We don’t. These are the related videos—spiritual siblings of the one you just watched—as good or better than this video. Expect callbacks, new plot twists, and maybe even a scene-stealing cameo from a lower third.
