KQL Search

Query Details

HomeAI ToolsDevice Query

MDO Email Threat Classification By ISP

Query

// MDO Email Threat Classification By ISP

// Microsoft announce the new integration of threat classification through advanced large language models (LLMs) and machine learning (ML) models in the EmailEvents schema. By leveraging this crucial data along with CloudAppEvents Exchange workload, you can now pinpoint the origin of various email threats by ISP!🤯 This enhancement provides a clearer understanding of email threats categorized by ISP.🫡

CloudAppEvents
| where Application == "Microsoft Exchange Online"
| where ActionType == "TIMailData-Inline"
| where ActivityType == "Securityevent"
| extend CAInternetMessageId = tostring(parse_json(RawEventData)["InternetMessageId"])
| join EmailEvents on $left.CAInternetMessageId == $right.InternetMessageId
| where isnotempty(ThreatClassification)
| summarize Count=count() by ThreatClassification, ISP
| sort by Count desc

Explanation

This query is designed to analyze email threats by Internet Service Provider (ISP) using data from Microsoft Exchange Online. Here's a simple breakdown of what it does:

  1. Data Source: It starts by looking at events from Microsoft Exchange Online, specifically focusing on security-related activities.

  2. Filtering: It filters the data to include only those events that are related to email data processing ("TIMailData-Inline") and are classified as security events.

  3. Data Matching: It extracts a unique identifier for each email (InternetMessageId) and matches it with corresponding email events to ensure the data is linked correctly.

  4. Threat Classification: It filters out any events that do not have a threat classification, ensuring only relevant data is analyzed.

  5. Summarization: It counts the number of email threats for each type of threat classification and ISP.

  6. Sorting: Finally, it sorts the results in descending order based on the count, so you can see which threat classifications are most common for each ISP.

Overall, this query helps identify and understand the distribution of email threats across different ISPs by leveraging advanced threat classification techniques.

Details

Steven Lim profile picture

Steven Lim

Released: January 12, 2025

Tables

CloudAppEventsEmailEvents

Keywords

CloudAppEventsMicrosoftExchangeOnlineEmailEventsThreatClassificationISP

Operators

whereextendtostringparse_jsonjoinonisnotemptysummarizecountbysortdesc

Actions