Microsoft could prioritise customer security and implement this very quickly.

It would also probably reduce their network log storage requirements ($$) by quite a bit...

Who has been clicking on Windows tray notifications & what's the url? #Defender #AdvancedHunting #malvertising

DeviceProcessEvents
| where FileName in~ ("msedge.exe","chrome.exe") and ProcessCommandLine has ("--notification-launch-id")
| extend u=tostring(split(ProcessCommandLine,"|",4)[0])
| where u startswith "http"
| distinct u,AccountUpn,DeviceName,FileName,DeviceId