Defender Cheatsheet

Find all mails from the sender, url containing the domain and all actions/clicked by user

let custom_domain="$YOUR_DOMAIN";
EmailEvents
| where SenderFromDomain contains custom_domain
| join kind=leftouter
    UrlClickEvents on $left.RecipientEmailAddress==$right.AccountUpn
| join kind=fullouter  (
    UrlClickEvents | where Url contains custom_domain) on  $left.RecipientEmailAddress==$right.AccountUpn
| join kind=leftouter
    EmailPostDeliveryEvents on $left.NetworkMessageId==$right.NetworkMessageId
| extend Url = strcat(Url, Url1)
| extend Recipient = strcat(RecipientEmailAddress, RecipientEmailAddress1, AccountUpn, AccountUpn1)
| extend Timestamp = strcat(Timestamp,Timestamp1)
| extend Timeclicked = strcat(Timestamp2)
| extend TimeRemediation = strcat(Timestamp3)
| extend ActionType = strcat(ActionType1,ActionType2)
| project Url, Recipient, AttachmentCount,Timestamp,Timeclicked, TimeRemediation,ActionType, IsClickedThrough,DeliveryAction