Query Details
Email Attachment Executed
Query
Tags: Query: EmailAttachmentInfo | where isnotempty(SHA256) |join ( DeviceProcessEvents | project DeviceName,FileName, SHA256 ) on SHA256 | project Timestamp, DeviceName , FileName, SHA256, SenderFromAddress, RecipientEmailAddress References:
Explanation
The query is retrieving information about email attachments and device process events. It filters out any attachments that do not have a SHA256 value. Then, it joins the EmailAttachmentInfo table with the DeviceProcessEvents table based on the SHA256 value. The final result includes the timestamp, device name, file name, SHA256 value, sender's email address, and recipient's email address.
Details
Ali Hussein
Released: October 31, 2023
Tables
EmailAttachmentInfoDeviceProcessEvents
Keywords
EmailAttachmentInfo,SHA256,DeviceProcessEvents,DeviceName,FileName,Timestamp,SenderFromAddress,RecipientEmailAddress
Operators
isnotemptyjoinproject