Query Details
Email Events Visualize Delivery Actions
Query
//Visualize inbound email actions (Delivered, Junked, Blocked) per day over time //Data connector required for this query - M365 Defender - Email* tables //Microsoft Sentinel query EmailEvents | where TimeGenerated > ago (90d) | where EmailDirection == "Inbound" | summarize Count=count()by DeliveryAction, bin(TimeGenerated, 1d) | render columnchart with (kind=unstacked, title="Email delivery actions over time") //Advanced Hunting query. Advanced hunting only retains 30 days data, so to show a similar visualization, we can slice the vents up into 6 hour blocks //Data connector required for this query - Advanced Hunting license EmailEvents | where Timestamp > ago (30d) | where EmailDirection == "Inbound" | summarize count()by DeliveryAction, bin(Timestamp, 6h) //Advanced hunting cannot visualize column charts as well as Sentinel so rendering as a timechart produces a better result | render timechart
Explanation
This query visualizes the number of inbound email actions (Delivered, Junked, Blocked) per day over a specified time period. It uses different data connectors depending on the platform being used (M365 Defender or Advanced Hunting). The query filters for inbound emails and groups the data by the type of delivery action and the time it was generated. The visualization is presented as a column chart in Microsoft Sentinel or as a time chart in Advanced Hunting.
Details
Matt Zorich
Released: June 17, 2022
Tables
EmailEvents
Keywords
Keywords:EmailEvents,TimeGenerated,EmailDirection,DeliveryAction,count(),bin(),render,columnchart,kind,unstacked,title,Timestamp,ago,timechart
Operators
whereago==summarizecount()bybinrender