When reviewing the ATP Event search or Incident Event list, you see that some Vantage 4113 Malicious traffic detected events do not have any data for 'data_source_url' or 'data_source_url_domain'.
The ATP: Network software can find a URI request malicious based on other parts of the request before the full URL is seen. Sometimes this is due to the URL being long enough that it was not included in the same packet.
There are different reasons for which a Vantage detection may have a NULL URL. Depending on the technique and protocol used for the detection, the URL may or may not be present.
For example, a detection over SSL3 will not contain the HTTP URL.