Query Details
MDO Find Related Mails
Query
# Find Related Emails ## Query Information #### Description The EmailClusterId which can be assigned to a mail is the identifier for the group of similar emails clustered based on heuristic analysis of their contents. Therefore this identifier can be leveraged to find related mails. This is not a hash value of the mail. Once you have identified a suspicious mail, you can run the query below to determine if there are related mails send to your users. This can for example be from a different sender or the content of the mail has changed from *Hello Bob* to *Hello Alice* but the rest of the contents has stayed the same. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide ### Defender For Endpoint ``` let MaliciousEmailCluseriId = "3163234347533"; // Input the EmailClusterId here EmailEvents | where EmailClusterId == MaliciousEmailCluseriId ``` ### Sentinel ``` let MaliciousEmailCluseriId = "3163234347533"; // Input the EmailClusterId here EmailEvents | where EmailClusterId == MaliciousEmailCluseriId ```
Explanation
The query is used to find related emails based on the EmailClusterId. The EmailClusterId is assigned to a group of similar emails that have been clustered based on their contents. By inputting a suspicious email's EmailClusterId, the query will retrieve any related emails sent to users, even if they are from different senders or have slightly different content. This can help identify any patterns or connections between emails.
Details
Bert-Jan Pals
Released: November 2, 2023
Tables
EmailEvents
Keywords
EmailClusterId,mail,identifier,group,similaremails,heuristicanalysis,contents,suspiciousmail,relatedmails,sender,content,HelloBob,HelloAlice
Operators
|==