Query Details
Email Events Most Blocked Domains
Query
//Visualize the most blocked domains sending email inbound to your users //Data connector required for this query - M365 Defender - Email* tables //Microsoft Sentinel query EmailEvents | where TimeGenerated > ago (7d) | where EmailDirection == "Inbound" | where DeliveryAction == "Blocked" | extend Domain = tostring(split(SenderMailFromAddress, "@")[-1]) | summarize BlockedCount=count()by Domain | where isnotempty(Domain) | sort by BlockedCount desc | render barchart //Advanced Hunting query //Data connector required for this query - Advanced Hunting license EmailEvents | where Timestamp > ago (7d) | where EmailDirection == "Inbound" | where DeliveryAction == "Blocked" | extend Domain = tostring(split(SenderMailFromAddress, "@")[-1]) | summarize BlockedCount=count()by Domain | where isnotempty(Domain) | sort by BlockedCount desc | render barchart
Explanation
This query retrieves data from the M365 Defender - Email* tables to visualize the domains that are most frequently blocked when sending inbound emails to users. It filters the data for the past 7 days and focuses on inbound emails that have been blocked. It then splits the sender's email address to extract the domain and counts the number of blocked emails for each domain. The results are sorted in descending order by the count and displayed as a bar chart. This query can be run in Microsoft Sentinel or with an Advanced Hunting license.
Details
Matt Zorich
Released: June 17, 2022
Tables
EmailEvents
Keywords
EmailEvents,TimeGenerated,EmailDirection,Inbound,DeliveryAction,Blocked,Domain,SenderMailFromAddress,BlockedCount,isnotempty,sort,render,barchart,Timestamp,AdvancedHuntinglicense
Operators
whereago==|extendtostringsplit[-1]summarizecount()byisnotemptysort byrender