KQL Search

Query Details

HomeAI ToolsDevice Query

Email EOP Phishing Detection

Query

name : EOP detection with Email Phish
description : 
- These queries are going to hunt for - Phish mails with Exchange Online Protection
- Case1 - EOP detection list 
- Case2 - Filter EOP detection based on detection methods
table : 
- EmailEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide
query : |
    //Case1 - EOP detection list 
    EmailEvents
    | where Timestamp > ago(7d)
    | where isnotempty(DetectionMethods)
    | extend EOP_detection = parse_json(DetectionMethods)
    | where EOP_detection.Phish in 
      (
       @'["URL malicious reputation"]',
       @'["Advanced filter"]',
       @'["General filter"]',
       @'["Spoof intra-org"]',
       @'["Spoof external domain"]',
       @'["Spoof DMARC"]',
       @'["Impersonation brand"]',
       @'["Mixed analysis detection"]',
       @'["File reputation"]',
       @'["Fingerprint matching"]'
      )
    | project Timestamp, NetworkMessageId, Subject, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, EOP_detection.Phish


    //Case2 - Filter EOP detection based on detection methods
    EmailEvents
    | where Timestamp > ago(7d)
    | where isnotempty(DetectionMethods)
    | extend EOP_detection = parse_json(DetectionMethods)
    | where EOP_detection.Phish == @'["URL malicious reputation"]'
    //| where EOP_detection.Phish == @'["Advanced filter"]'
    //| where EOP_detection.Phish == @'["General filter"]'
    //| where EOP_detection.Phish == @'["Spoof intra-org"]'
    //| where EOP_detection.Phish == @'["Spoof external domain"]'
    //| where EOP_detection.Phish == @'["Spoof DMARC"]'
    //| where EOP_detection.Phish == @'["Impersonation brand"]'
    //| where EOP_detection.Phish == @'["Mixed analysis detection"]'
    //| where EOP_detection.Phish == @'["File reputation"]'
    //| where EOP_detection.Phish == @'["Fingerprint matching"]'
    | project Timestamp, NetworkMessageId, Subject, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, EOP_detection.Phish

Explanation

The query is searching for phishing emails detected by Exchange Online Protection (EOP).

In Case 1, it retrieves a list of EOP detections for phishing emails in the past 7 days. It filters the results based on specific detection methods such as URL reputation, advanced filter, general filter, spoofing, impersonation, and more.

In Case 2, it focuses on filtering the EOP detections specifically for phishing emails with a URL malicious reputation.

The query retrieves information about the timestamp, network message ID, subject, sender, recipient, delivery location, and the specific EOP detection method for each phishing email.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: February 2, 2023

Tables

EmailEvents

Keywords

EmailEvents,Timestamp,ago,isnotempty,DetectionMethods,extend,parse_json,Phish,URLmaliciousreputation,Advancedfilter,Generalfilter,Spoofintra-org,Spoofexternaldomain,SpoofDMARC,Impersonationbrand,Mixedanalysisdetection,Filereputation,Fingerprintmatching,project,NetworkMessageId,Subject,SenderFromAddress,RecipientEmailAddress,DeliveryLocation

Operators

toscalar()arg_max()count()mv-expand

Actions