Query Details
Email Events Sender TLD Count
Query
EmailEvents
| extend FQDN = trim_end("(:|\\?).*", tostring(split(trim_start('http(.|)://', SenderFromDomain), "/")[0]))
//| project-reorder FQDN, UrlDomain
| where FQDN contains "." // exclude singular hostnames used in local name resolution
| where DeliveryAction == "Delivered"
| extend TLD = tostring(split(FQDN, ".")[-1])
| summarize count() by TLD, EmailDirection
Explanation
This KQL (Kusto Query Language) query is analyzing email events to provide a summary of email traffic based on the top-level domain (TLD) of the sender's domain and the direction of the email (incoming or outgoing). Here's a breakdown of what the query does:
-
Extract FQDN: It extracts the fully qualified domain name (FQDN) from the
SenderFromDomainfield by removing any URL scheme (http://orhttps://) and any trailing characters after a colon or question mark. -
Filter by FQDN: It filters out entries where the FQDN does not contain a dot, which typically means excluding local hostnames that are not fully qualified.
-
Filter by Delivery Action: It only considers emails that have been successfully delivered.
-
Extract TLD: It extracts the top-level domain (TLD) from the FQDN, which is the last segment after the final dot.
-
Summarize: It counts the number of emails for each combination of TLD and email direction (e.g., incoming or outgoing).
In simple terms, this query counts how many emails were delivered for each top-level domain and email direction, helping to understand the distribution of email traffic based on domain types.
Details
Jay Kerai
Released: August 11, 2025
Tables
Keywords
Operators