KQL Search

Query Details

HomeAI ToolsDevice Query

Email MDO Malware Detection

Query

name : MDO detection with Email Malware
description : 
- These queries are going to hunt for - Malware mails with Microsoft Defender for Office 365
- Case1 - MDO detection list 
- Case2 - Filter MDO detection based on detection methods
table : 
- EmailEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide
query : |
    //Case1 - MDO detection list
    EmailEvents
    | where Timestamp > ago(7d)
    | where isnotempty(DetectionMethods)
    | extend MDO_detection = parse_json(DetectionMethods)
    | where MDO_detection.Malware in 
      (
       @'["File detonation"]',
       @'["File detonation reputation"]',
       @'["URL detonation"]',
       @'["URL detonation reputation"]',
       @'["Campaign"]'
      )
    | project Timestamp, Subject, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, MDO_detection.Malware


    //Case2 - Filter MDO detection based on detection methods
    EmailEvents
    | where Timestamp > ago(7d)
    | where isnotempty(DetectionMethods)
    | extend MDO_detection = parse_json(DetectionMethods)
    | where MDO_detection.Malware == @'["File detonation"]'
    //| where MDO_detection.Malware == @'["File detonation reputation"]'
    //| where MDO_detection.Malware == @'["URL detonation"]'
    //| where MDO_detection.Malware == @'["URL detonation reputation"]'
    //| where MDO_detection.Malware == @'["Campaign"]'
    | project Timestamp, Subject, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, MDO_detection.Malware

Explanation

The query is searching for malware emails using Microsoft Defender for Office 365.

In Case 1, it retrieves a list of MDO detections from the past 7 days and filters them based on specific detection methods such as file detonation, URL detonation, and campaign.

In Case 2, it filters MDO detections specifically for file detonation. There are commented lines that can be uncommented to filter for other detection methods like file detonation reputation, URL detonation, URL detonation reputation, and campaign.

The query retrieves the timestamp, subject, network message ID, sender address, recipient address, delivery location, and the type of malware detected.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: February 2, 2023

Tables

EmailEvents

Keywords

EmailEvents,Timestamp,DetectionMethods,MDO_detection,Malware,Subject,NetworkMessageId,SenderFromAddress,RecipientEmailAddress,DeliveryLocation

Operators

toscalar()arg_max()count()mv-expand

Actions