KQL Search

Query Details

HomeAI ToolsDevice Query

Email EOP Malware Detection

Query

name : EOP detection with Email Malware
description : 
- These queries are going to hunt for - Malware mails with Exchange Online Protection
- Case1 - EOP detection list 
- Case2 - Filter EOP detection based on detection methods
table : 
- EmailEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide
query : |
    //Case1 - EOP detection list 
    EmailEvents
    | where Timestamp > ago(7d)
    | where isnotempty(DetectionMethods)
    | extend EOP_detection = parse_json(DetectionMethods)
    | where EOP_detection.Malware in 
      (
       @'["File reputation"]',
       @'["Antimalware engine"]',
       @'["URL malicious reputation"]'
      )
    | project Timestamp, Subject, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, EOP_detection.Malware


    //Case2 - Filter EOP detection based on detection methods
    EmailEvents
    | where Timestamp > ago(7d)
    | where isnotempty(DetectionMethods)
    | extend EOP_detection = parse_json(DetectionMethods)
    | where EOP_detection.Malware == @'["File reputation"]'
    //| where EOP_detection.Malware == @'["Antimalware engine"]'
    //| where EOP_detection.Malware == @'["URL malicious reputation"]'
    | project Timestamp, Subject, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, EOP_detection.Malware

Explanation

The query is searching for malware emails detected by Exchange Online Protection (EOP).

In Case 1, it retrieves a list of EOP detections for malware emails in the past 7 days. It filters the results based on specific detection methods such as file reputation, antimalware engine, and URL malicious reputation.

In Case 2, it filters the EOP detections specifically for malware emails with a file reputation. The other detection methods (antimalware engine and URL malicious reputation) are commented out and not included in the results.

The query retrieves information such as the timestamp, subject, network message ID, sender's email address, recipient's email address, delivery location, and the type of malware detected by EOP.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: February 2, 2023

Tables

EmailEvents

Keywords

Keywords:EOP,Malware,Mails,ExchangeOnlineProtection,Case1,Case2,DetectionMethods,Filereputation,Antimalwareengine,URLmaliciousreputation,Timestamp,Subject,NetworkMessageId,SenderFromAddress,RecipientEmailAddress,DeliveryLocation

Operators

toscalar()arg_max()count()mv-expand

Actions