KQL Search

name :  Email Malware Detection list
description : Email, weekly malware detection list
table : 
- EmailEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide
- EmailAttachmentInfo
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailattachmentinfo-table?view=o365-worldwide
query : |
  //case1 - Email, Weekly malware detection with linechart
  EmailEvents
  | where Timestamp > ago(7d)
  | where isnotempty(ThreatNames)
  | extend ThreatName = split(ThreatNames, ",")
  | mv-expand ThreatName
  | summarize ThreatNumber = count() by tostring(ThreatName), bin(Timestamp, 1d)
  | render linechart 
  

  //case2 - Email, Weekly malware detection user list with NetworkId
  EmailEvents
  | where Timestamp > ago(7d)
  | where isnotempty(ThreatNames)
  | join kind=inner EmailAttachmentInfo on NetworkMessageId 
  | extend ThreatFamilyAttachment = strcat(ThreatNames, @"\", FileName, @"\", NetworkMessageId)
  | summarize ThreatFamily_wih_Attachment= make_list(ThreatFamilyAttachment) by RecipientEmailAddress
  | extend Case = array_length(ThreatFamily_wih_Attachment)
  | project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment 
  | sort by Case desc