KQL Search

This query is designed to identify potentially misconfigured Exchange Online (EXO) transport rules that might be allowing suspicious emails to be delivered to users' inboxes instead of being filtered out. Here's a breakdown of what the query does:

1. EmailEvents Table: The query starts by examining the EmailEvents table, which contains records of email activities.

2. Inbound Emails: It filters the data to only include emails that are coming into the organization (EmailDirection == "Inbound").

3. Threat Classification: It further narrows down the results to emails that have some form of threat classification (isnotempty(ThreatClassification)), indicating that these emails have been flagged for potential security issues.

4. Delivered Emails: The query looks for emails that were ultimately delivered to the recipient (LatestDeliveryAction == "Delivered").

5. Not in Junk Folder: It ensures that these delivered emails were not placed in the junk folder (DeliveryLocation != "Junk folder"), meaning they went directly to the inbox or another folder.

6. Summarize by Transport Rule: Finally, it summarizes the data by counting how many such emails are associated with each transport rule, identified by the TransportRuleGuid. This is done by parsing the AdditionalFields to extract the TransportRuleGuid and converting it to a string.

In simple terms, the query is checking for emails that were flagged as potentially harmful but still ended up in users' inboxes, and it counts how many such emails are linked to each transport rule. This can help identify which rules might need to be reviewed or adjusted to improve email security.