Query Details
Email Threat Reports
Query
name : Email threat reports description : - Case1 - Daily mail detection by phishing activity for past 30 days - Case2 - Daily mail detection by spam activity for past 30 days - Case3 - Daily mail detection by malware activity for past 30 days table : - EmailEvents - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide query: | //Email & collaboration tables - Case1 EmailEvents | where Timestamp > ago(30d) | where isnotempty(ThreatTypes) | where ThreatTypes has "Phish" | summarize count() by ThreatTypes, bin(Timestamp, 1d) | render linechart //Email & collaboration tables - Case2 EmailEvents | where Timestamp > ago(30d) | where isnotempty(ThreatTypes) | where ThreatTypes has "Spam" | summarize count() by ThreatTypes, bin(Timestamp, 1d) | render linechart //Email & collaboration tables - Case3 EmailEvents | where Timestamp > ago(30d) | where isnotempty(ThreatTypes) | where ThreatTypes has "Malware" | summarize count() by ThreatTypes, bin(Timestamp, 1d) | render linechart
Explanation
The query is analyzing email threat reports for the past 30 days. It is divided into three cases: phishing activity, spam activity, and malware activity. Each case filters the EmailEvents table for the specified threat type and time range. The query then summarizes the count of each threat type and visualizes the results in a line chart.
Details
Kijo Girardi
Released: January 28, 2023
Tables
EmailEvents
Keywords
EmailEvents,Timestamp,ThreatTypes,Phish,Spam,Malware,count(),bin(),render,ago(30d),isnotempty()
Operators
toscalar()arg_max()count()mv-expandwhereisnotempty()hassummarizebin()render