Query Details
MDO Email Threat Classification By Country
Query
// MDO Email Threat Classification By Country // https://admin.microsoft.com/AdminPortal/Home?#/MessageCenter/:/messages/MC973503 EmailEvents | where isnotempty(ThreatClassification) | extend IPInfo = iff(isnotempty(SenderIPv4), geo_info_from_ip_address(SenderIPv4), geo_info_from_ip_address(SenderIPv6)) | summarize Count=count() by ThreatClassification, tostring(IPInfo.country) | sort by Count desc
Explanation
This query is designed to analyze email threats by country using data from email events. Here's a simple breakdown of what it does:
-
Filter for Threats: It starts by selecting email events that have a non-empty "ThreatClassification" field, meaning it only considers emails that have been classified as some type of threat.
-
Extract Geographic Information: For each email, it attempts to determine the geographic location of the sender using their IP address. It checks if the sender's IPv4 address is available; if not, it uses the IPv6 address. It then retrieves geographic information (like country) based on the IP address.
-
Summarize Data: The query counts the number of email threats for each combination of threat classification and country.
-
Sort Results: Finally, it sorts the results in descending order based on the count, so the most frequently occurring threats by country appear first.
In summary, this query provides a report of email threats categorized by type and country, sorted by the frequency of occurrence.
Details
Steven Lim
Released: January 11, 2025
Tables
Keywords
Operators